Top GraphQL reports from HackerOne:
- Confidential data of users and limited metadata of programs and reports accessible via GraphQL to HackerOne - 996 upvotes, $0
- Email address of any user can be queried on Report Invitation GraphQL type when username is known to HackerOne - 632 upvotes, $0
- Private list members disclosure via GraphQL to X (Formerly Twitter) - 327 upvotes, $0
- SSRF in graphQL query (pwapi.ex2b.com) to EXNESS - 223 upvotes, $3000
- Github Apps can use Scoped-User-To-Server Tokens to Obtain Full Access to User's Projects in Project V2 GraphQL api to GitHub - 185 upvotes, $20000
- Disclosure of
payment_transactions
for programs via GraphQL query to HackerOne - 171 upvotes, $0 - GraphQL AdminGenerateSessionPayload is leaked to staff with no permission to Shopify - 168 upvotes, $0
- SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter to HackerOne - 150 upvotes, $0
- Team object in GraphQL disclosed private_comment to HackerOne - 141 upvotes, $2500
- Undocumented
fileCopy
GraphQL API to Shopify - 140 upvotes, $2000 - Unauthorized user can obtain
report_sources
attribute through Team GraphQL object to HackerOne - 137 upvotes, $2500 - Bug in GraphQL and API integration leads to limited user address disclosure to Starbucks - 136 upvotes, $0
- Private program disclosure via
vpn_suspended
GraphQL query to HackerOne - 131 upvotes, $2500 - IDOR on GraphQL queries BillingDocumentDownload and BillDetails to Shopify - 107 upvotes, $5000
- GraphQL field on Team node can be used to determine if External Program runs invite-only program to HackerOne - 99 upvotes, $0
- Team object in GraphQL disclosed total number of whitelisted hackers to HackerOne - 86 upvotes, $2500
- Private information exposed through GraphQL filters to HackerOne - 76 upvotes, $0
- Team object in GraphQL discloses team group names and permissions to HackerOne - 70 upvotes, $2500
- Cross-Tenant IDOR ( graphql
AddRulesToPixelEvents
query ) allowing to add, update, and delete rules of any Pixel events on the platform to TikTok - 70 upvotes, $0 - Team object in GraphQL disclosed of private programs via the industry to HackerOne - 68 upvotes, $500
- Attachment object in GraphQL continues to grant access to files, even if they are removed from rendering to HackerOne - 64 upvotes, $0
- Using GraphQL, STAFF with NO explicit permissions on Store can retrieve Shopify Payments Balance. to Shopify - 60 upvotes, $0
- GraphQL query "namespace" leaks data to GitLab - 58 upvotes, $0
- TeamProfile exposes partially sensitive information through GraphQL to HackerOne - 57 upvotes, $0
- Image queue default key of 'None' and GraphQL unhandled type exception to Reddit - 56 upvotes, $500
- H1514 [beerify.shopifycloud.com] GraphQL discloses internal beer consumption to Shopify - 54 upvotes, $802
- Access to internal info via Graphql on https://tng-api.watsons.com.my to A.S. Watson Group - 49 upvotes, $0
- Embedded submission form UUIDs can be enumerated through GraphQL node interface, exposing sensitive program details to HackerOne - 47 upvotes, $0
- Graphql introspection is enabled and leaks details about the schema to On - 47 upvotes, $0
- [h1-2102] [Yaworski's Broskis] Low privilege user can read POS PINs via graphql and elevate his privilege to Shopify - 45 upvotes, $0
- Access to information about any video and its owner via GraphQL endpoint [dictor.mail.ru] to Mail.ru - 42 upvotes, $2500
- Revoking user session in https://hackerone.com/settings/sessions does not revoke the GraphQL query session to HackerOne - 42 upvotes, $500
- RC Between GitHub's Repo Transfer REST API and updateTeamsRepository GraphQL Mutation Results in Covert and Persistent Admin Access Retention to GitHub - 41 upvotes, $4000
- GraphQL node interface for ActiveResource models lacks encoding for resource identifier, enabling parameter injection in Payments backend to HackerOne - 41 upvotes, $0
- Inadequate redaction exposes sensitive information via the “ShareReportViaEmail" GraphQL endpoint to HackerOne - 40 upvotes, $0
- Team object in GraphQL that have a published external program may expose existence of a private program to HackerOne - 38 upvotes, $0
- A deactivated user can access data through GraphQL to GitLab - 37 upvotes, $1370
- [h1-2102] shopApps query from the graphql at /users/api returns all existing created apps, including private ones to Shopify - 32 upvotes, $1900
- HackerOne Pentesters can access any structured scope object through GraphQL node interface to HackerOne - 29 upvotes, $0
- Hacker can bypass minimum bounty amount restrictions in "invitation preferences" setting via UpdateInvitationPreferencesMutation GraphQL operation to HackerOne - 28 upvotes, $0
- Private information exposed through GraphQL search endpoints aggregates to HackerOne - 28 upvotes, $0
- Able to leak private email of any user given his/her username via graphql to GitLab - 27 upvotes, $0
- User object in GraphQL exposes number of trial reports for External Programs that also have a Private Program to HackerOne - 24 upvotes, $0
- Disabled account can still use GraphQL endpoint to HackerOne - 22 upvotes, $0
- Staff can use BULK_OPERATIONS_FINISH webhook topic using Graphql without permissions all to Shopify - 22 upvotes, $0
- Bypass GraphQL rate limit by abusing negative cost queries to Shopify - 20 upvotes, $0
- STAFF member with NO Explicit permissions can view
ActivityFeed
via GraphQL to Shopify - 20 upvotes, $0 - GRAPHQL cross-tenant IDOR giving write access thought the operation UpdateAtlasApplicationPerson to Stripe - 20 upvotes, $0
- Introspection query leaks sensitive graphql system information. to HackerOne - 18 upvotes, $0
- Private System Note Disclosure using GraphQL to GitLab - 17 upvotes, $1000
- Graphql: Sorting the reports by jira_status field resulted to different value to HackerOne - 17 upvotes, $0
- Changes to data in a CVE request after draft via GraphQL query to HackerOne - 14 upvotes, $0
- Insufficient Type Check on GraphQL leading to Maintainer delete repository to GitLab - 13 upvotes, $4000
- ReDoS at wiki.cs.money graphQL endpoint (AND probably a kind of command injection) to CS Money - 13 upvotes, $250
- GraphQL introspection query works through unauthenticated WebSocket to Nuri - 12 upvotes, $0
- GraphQL Query leads to sensitive information disclosure to GitLab - 12 upvotes, $0
- H1514 Get access to non public information by pivoting with graphql queries to Shopify - 11 upvotes, $1500
- Deleting someone else's profile image with a GraphQL query in programming education service (https://entry.line.me) to LY Corporation - 11 upvotes, $0
- GraphQL sessions aren't immediately invalidated when user password is changed to HackerOne - 9 upvotes, $0
- [h1-2102] Stored XSS in product description via
productUpdate
GraphQL query leads to XSS at handshake-web-internal.shopifycloud.com/products/[ID] to Shopify - 6 upvotes, $1600 - [NR Infrastructure] Bypass of #200576 through GraphQL query abuse - allows restricted user access to root account license key to New Relic - 5 upvotes, $750
- Restricted user can update Apdex target for applications by leveraging the GraphQL mutation to New Relic - 4 upvotes, $0
- Getting API access key Through Introspection query Graphql to New Relic - 4 upvotes, $0
- Cross-account reading of Insights dashboards through GraphQL to New Relic - 3 upvotes, $0
- Some store settings/data are accessible to "No Access" permission users on GraphQL LiveView operation to Shopify - 2 upvotes, $0