$20,000 Hackerone data leakage via GraphQL

📧 Subscribe to BBRE Premium: https://bbre.dev/premium
✉️ Sign up for the mailing list: https://bbre.dev/nl
📣 Follow me on Twitter: https://bbre.dev/tw


Hello,
today I have for you an explanation of the vulnerability that affected Hackerone itself and was reported on their platform. The GraphQL leakage was leaking all the data that was possible accessible via GraphQL API.

Timestamps:
00:00 What is GraphQL?
00:30 GraphQL vs REST API
02:27 egde-based vs node-based access control
04:50 the root cause of the vulnerability
05:53 the impact and the fixes

Original report:
https://hackerone.com/reports/489146

Reporter:
https://hackerone.com/yashrs
  / y_sodha  

#graphql #hackerone