HackerOne: Leakage badges on disabled user

Indonesia Here ; Hi HackerOne Team, Description: This attack occurs when an attacker uses this graphql code: and this builds the path of the attacker getting disclosure information about how many programs already in the close Resolved from the Public or Disable user. okay now I do not say if the...

HackerOne: IDOR on Program Visibilty (Revealed / Concealed) against other team members

Hi HackerOne Team, Summary: When you are a part of a program security team, you have a choice to show in your profile that you are a member of the sec team, you can also hide it if you don't want to show it to your profile, any team member can do that using your profile settings here:...

HackerOne: Introspection query leaks sensitive graphql system information.

Summary: Interospection query leaks sensitive data. Introduction As we know graphql was initially developed and used by facebook as an internal query language and so the features of graphql mostly revolve around internal and development areas. Graphql executes queries using a type system with the...

HackerOne: GraphQL sessions aren't immediately invalidated when user password is changed

Summary: While changing password, once user clicks on "Change password" button after giving necessary values, on https://hackerone.com/settings/pass/edit, the session expires and the user is redirected to https://hackerone.com/users/signin for logging in again with the updated/changed password. A...

New Relic: [NR Infrastructure] Bypass of #200576 through GraphQL query abuse - allows restricted user access to root account license key

@jonbottarini discovered an issue with our GraphQL implementation. This allowed a user without the proper authorization access to privileged account information on the same account. The writeup for this issue can read here: https://labs.detectify.com/2018/03/14/graphql-abuse/...