[GraphQL IDOR] Leaking credit card information of 1000s of users [External Audit]
Hey everyone
I was hunting on a web application. The program was private; for obvious reasons, let’s say the domain is redacted.com. I was able to find mass information by exploiting two different Graphql endpoints.
Finding Graphql IDOR
While performing initial recon on redacted.com, I found the web application used GraphQL for its API management.
For converting the query to a readable format, I used the graphql raider extension, which converts the graphql query and variables from the unreadable JSON body to a readable format in which the query and variables are displayed in separate tabs. Graphql raider extracted the ‘id’ variable as an insertion point. The response to this request contains users’ personal information, including credit card information.
I created two accounts and checked for IDOR. The application was vulnerable to IDOR, and I was able to get the personal information for my other account.
Spotting a Weird functionality
ID variable is a 12-character long string, so I cannot guess/brute-force the value. I was searching for a way to get my hand on the id parameter, went through the burp suite repeater tabs, and found an exciting endpoint. The endpoint fetched my following list, and the response contains the id value and profile picture of the users I follow.
When a user creates an account on redacted.com, the user automatically follows some company executives.
When I clicked on the follower list of these executives, a graphql query was sent that fetches information from the user’s profile, and the response contains the user’s ID and profile picture of many users. I found a user with a million followers, which can also be exploited.
Exploitation
I collected an ‘id’ from the response of the following list of the company executive to create the POC.
I observed no protection against brute force attacks for the graphql queries. After this, I grabbed the IDs using bash scripting and brute-forced using the burp Intruder and got thousands of users’ sensitive data.
Disclosure
Reported on 26th December 2020
