Graphql Abuse to Steal Anyone’s Address

Introduction

Due to some reasons, I had to remove this blog post earlier as I didn’t have any approval from the Security Team of that program. Now they have approved my blog post. Well again this is not an English literature or grammar blog please ignore errors .

I am Pratik Yadav Currently working as Security Engineer at Crypto Buying Site(Also I am Final Year Computer Engineering Student), I am thankful to Company that they have offered me a full-time job even though I haven’t completed my graduation.

About the Vulnerability

For Discovering this bug I learned graphql basics for at least 4–5 Hours and reading all other bug reports available. When I was checking the subdomains of the target, I found a subdomain stg.target.com and I founded that they are Using graphql instead of Rest-API

You can read more about graphql here:- https://graphql.org/ (Graphql is an alternative to Rest-API.

About the application:- In this application users can send money to their family members or friends or any users

Requirement:- Just email address of victim

Steps (Screenshots are enough so you can skip theory)

1. First I kept the application request flow through the Burp proxy and I performed Certain operation likes sending money to my another test account, etc.
2. So After performing every possible operation, I checked all the http requests. So after checking all the http requests my attention got to the endpoint which was generated when we are sending money to other users
3. So before sending the money ,the application first validate whether the second user is a registered user or not , This was the Graphql Query which was validating whether the user is registered on the platform or not

4. Now, look into the Response of this request in the screenshot you can see there is “__typename:- Auth_User” .
5. So after some time, I decided to find all the field values of the __typename:-Auth_user.

6. So all the __typename and field values can be found by using introspection query. So I fired following introspection query

https://api.stg.target.com/graphq?query={__schema{types{name,fields{name}}}} (And yes it throws all the typenames and field values}

So I checked all the fieldvalues of typename:- Auth_user and I noted addressLine1 and addressLine2 which is something we are not allowed to see of someone else

7. So I replaced status value in the original request (Please compare this screenshot with screenshot1) (Now you can see I replaced the status value with addressLine1 in the original request and fired it ) And As expected it throws the addressline1 to other users. You can see it leaked my test account address

So with just email, you can steal anyone's address and other sensitive information

Similarly, I replaced it with balance, wallet_address and it showed the information of other user which we are not supposed to view.

Disclosure

1. I Reported to them around 1 Am (Indian Standard Time)
2. They saw the video proof I provided and immediately taken down the subdomain
3. Yes they rewarded me with 4 Digit $ (My highest bounty so far)

Thanks
Looking forward to share more blogs

Best Regards

Pratik Yadav

You can reach out to me https://twitter.com/@PratikY9967

📝 Read this story later in Journal.

👩‍💻 Wake up every Sunday morning to the week’s most noteworthy stories in Tech waiting in your inbox. Read the Noteworthy in Tech newsletter.