Bug Bounty

$1000 Bounty for an IDOR Leaking Team Members Data

While testing redacted.com's GraphQL API, I came across a query used to fetch team membership details names, roles, and emails of everyone on a team. Nothing …

$1000 Bounty for an IDOR Leaking Team Members Data

While testing redacted.com's GraphQL API, I came across a query used to fetch team membership details  names, roles, and emails of everyone on a team. Nothing unusual on the surface, since I could see my own team's data without issue.

But I wanted to know: what happens if I just change the teamId?

The Discovery

Why This Matters

The Fix

The resolver needs to verify, server-side, that the authenticated user is actually a member of the team they're requesting data for before returning anything. Trusting a client-supplied ID without checking the requester's relationship to that object is the textbook definition of IDOR, and GraphQL APIs are no less vulnerable to it than REST.

Disclosure Timeline

Reported the vulnerability to the team, and received a response within 3 days confirming the issue and awarding a bounty of $1000.