25000$ IDOR: How a Simple ID Enumeration Exposed Private Data

Understanding GraphQL Misconfigurations and How to Prevent Data Leaks

Timeline

• June 28, 2022: A security researcher submits a report detailing a critical GraphQL vulnerability.
• June 29, 2022: The issue is reviewed, and further information is requested.
• July 1, 2022: The vulnerability is validated and escalated for internal review.
• July 5, 2022: Severity increased to critical (9.3/10) due to the exposure of private report titles.
• July 5, 2022: Researcher is awarded $25,000 for responsibly reporting the issue.
• January 21, 2025: The report is publicly disclosed after complete mitigation.

Introduction: A Critical IDOR in GraphQL

Insecure Direct Object References (IDOR) remain one of the most commonly exploited vulnerabilities, often allowing unauthorized access to sensitive data.

In a recent high-severity bug bounty case, a researcher discovered a GraphQL endpoint misconfiguration that allowed unauthenticated users to enumerate object IDs and extract private bug bounty program details.