CVE-2019-1000011: Access control bypass in GraphQL mutations

| Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | 2364 | License | MIT | Doc PR | This prevents passing IRIs belonging to different resource classes, which would bypass access control in some instances s...

HackerOne: Response program can display "eligible for bounty" in scope area in program policy

Hello Hackerone Team and @jobert First of all, Happy new year to everyone. Summary Response program can also display "eligible for bounty" assets on program policy. It's basically causing from backend in terms of GRAPHQL mutation query for eligible in bounty:true which stays forever on response...

Starbucks: Bug in GraphQL and API integration leads to limited user address disclosure

A modified GraphQL query to fetch a user's address book entries led to a limited disclosure of user address book entries. The modified query resulted in a backend API request with undefined as a parameter. The response contained address lists of accounts with a username of undefined. We were not...

HackerOne: Response program can create bounty table

Summary: Follow h1 document https://docs.hackerone.com/programs/bounty-tables.htmlgatsby, create bounty table only available for bounty program. Description: Step1: Create request to graphql entrypoint Step2: Change team id in parameter like this: "teamid":"Z2lkOi8vaGFja2Vyb25lL1RlYW0vMzYyOTE="...

SS-2018-007: CSRF vulnerability in graphql

More info at https://www.silverstripe.org/download/security-releases/ss-2018-007/...

HackerOne: Embedded submission form UUIDs can be enumerated through GraphQL node interface, exposing sensitive program details

It's possible for an attacker to enumerate embedded submission form UUIDs through HackerOne's GraphQL node interface. In normal application behavior, an embedded submission form is queried through GraphQL with a UUID. These UUIDs are random and they're not susceptible to brute force attacks...

HackerOne: SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter

The embeddedsubmissionformuuid parameter in the /graphql endpoint is vulnerable to a SQL injection. Execute the following command to reproduce the behavior: Locally: curl -X POST http://localhost:8080/graphql?embeddedsubmissionformuuid=1%27%3BSELECT%201%3BSELECT%20pgsleep\30%3B--%27...

Shopify: H1514 Get access to non public information by pivoting with graphql queries

Hi security team, Summary: It is possible to pivot with queries to get access to information you shouldn't have access to according to docs located at https://help.shopify.com/en/api/graphql-admin-api/reference/queryroot Description: I will try to write up all the ones I can find related to...

API Gateway -- Secure API Traffic with OAuth 2.0 and Cache GraphQL Responses

APIs are the connective tissue between software and modern digital experiences, and they must be exposed to consumers in a way that prevents misuse. This means your APIs must have appropriate governance authorization, authentication, quota management policies to prevent consumers from abusing API...

Shopify: H1514 [beerify.shopifycloud.com] GraphQL discloses internal beer consumption

Hi security team, Summary: With great pleasure we would like to report that we have discovered a GraqhQL endpoint that discloses internal beer consumption at your offices. Description: This endpoint is leaking internal app details about how much beer you have left on any given day. Steps To...

HackerOne: Revoking user session in https://hackerone.com/settings/sessions does not revoke the GraphQL query session

Hi Team, Summary: I have found an Insufficient Session Expiration on implementation of the new Revoke user session feature of HackerOne here: https://hackerone.com/settings/sessions Description: The new REVOKE session feature will destroy the session of the selected device, that means any request...

Shopify: Using GraphQL, STAFF with NO explicit permissions on Store can retrieve Shopify Payments Balance.

Hi, I am reporting this because it looks like a authorization bug in GraphQL. A staff member having no explicit permissions on a Shopify Store may be able to retrieve the Current balances in all currencies for the account for Shopify Payments. Steps 1. STAFF account is created and assigned NO...

Shopify: Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation

Summary GraphQL LiveView operation doesn't properly check for permissions before returning data. This allows "No Access" users to access some store settings and data by providing complete Shop schema fields in the request string. Steps to reproduce 1. Log into an attacker account of a test store...

Shopify: Unauthenticated access to Zendesk tickets through athena-flex-production.shopifycloud.com Okta bypass

Summary athena-flex-production.shopifycloud.com seems to be an internal system that Shopify uses because it redirects user to Okta login. During this however, I noticed that it first returns 200 and then does a redirect meaning some part of the website loads before redirecting. With this, I was...

HackerOne: TeamProfile exposes partially sensitive information through GraphQL

I noticed there is new field teamprofile added and using the graphql below the latest serious report and reports received in three months were exposed "query":"query Dashboardreportseveritybreakdowntable$first0:Int! \n query \n id,\n ...F0\n \n\nfragment F0 on Query \n...

HackerOne: Team object exposes amount of participants in a private program to non-invited users

Summary: Hello. Similar to other reports, suddenly after the update with ordering users, the GraphQL API is exposing the amount of participants in a private program to non-invited users. This allows an attacker to retrieve the amount of participants in a private program, as well as their details...

HackerOne: User object in GraphQL exposes number of trial reports for External Programs that also have a Private Program

Summary: For this vulnerability to work, it is necessary that you should be Admin/member of atleast one sandbox team and running a GraphQL node can tell you if the external programs exist on directory page running a private program on hackerone or not...

HackerOne: Team object in GraphQL that have a published external program may expose existence of a private program

Summary: Hi Team! On Team object the parameter "icannotcreatejirawebhookreasons" is not NULL and gets the following default states when called for all programs "CANNOTVIEW","FEATUREGATED","PROGRAMPERMISSIONREQUIRED" If a Company Program runs a Private Program or a Public On the "FEATUREGATED" is...

HackerOne: Team object in GraphQL discloses team group names and permissions

Summary: Hi team. We can disclosed your team member groups ; Description: Because of the communications error, we can disclose the data - teammembergroupsid,name,permissions Steps To Reproduce 1. "query": "query...

HackerOne: Team object in GraphQL disclosed total number of whitelisted hackers

Summary: Hi team. Whitelistedhackers i think your setup - Two-factor authentication and IP whitelisting are available to further restrict access to accounts. Description: Again, because of the link error, I can see the number, but I can't see these links. Analogue 310946 Steps To Reproduce 1...