Vulnerability writeups, methodology breakdowns, and lessons learned from hunting bugs across real-world targets.
While testing redacted.com's GraphQL API, I came across a query used to fetch team membership details names, roles, and emails of everyone on a team. Nothing …