IDOR Vulnerability In GraphQL Api On inmobi.com

4 min readJan 9, 2023

Hello everyone. I hope you are well.This article my first bugbounty writeups.This article is about idor i found in a inmobi.com. Let’s get back to the article without wasting time.

What is GraphQL ?

“GraphQL is an open-source data query and manipulation language for APIs,” Nowadays, GraphQL is being used in place of Rest-API’s.
for example:

What is Idor?

The insecure direct object reference is abbreviated as IDOR.
An IDOR flaw allows an attacker to gain unauthorized access to resources or perform actions on a web application.
This is accomplished by altering the request parameters supplied to the server while retrieving objects (such as documents, files, and data).
When there is a lack of server-side validation and a request is completed without validating whether the object being requested belongs to the user requesting it, this is possible.
for example:

www.xyz.com/myaccount/uid=12
www.xyz.com/myaccount/uid=14
www.xyz.com/myaccount/uid=15
www.xyz.com/myaccount/uid=19

Here we can see that the uid in the URL seems to be vulnerable and can be tampered by an attacker to break the authentication.

String query = “SELECT * FROM accts WHERE account = ?”;
PreparedStatement pstmt = connection.prepareStatement(query, … );
pstmt.setString(1, request.getParameter(“acct”));
ResultSet results = pstmt.executeQuery( );

In the above code, the attacker will modify the “accts” parameter in the web application and can enter multiple account numbers to retrieve the information.

How did I find Idor in GraphQL?

First, I wanted to edit my account name and surname because I was looking for xss in the my profile field. For this I opened the burp package and grabbed the prompt,
First, I noticed that the Web application uses GraphQL for API Management.

and in this request I saw the userid variable and “what happens if I write another id here?” I thought and quickly opened a new account and learned the userid of that account and quickly deleted my own userid and replaced it with the userid of the new account and Boooom
I was able to change the name, surname, e-mail address and other information of the account I just created.

I quickly created a report and sent it to the team.And 5 days later I got feedback. Feed back was as below

ID was important. Because if we didn’t know id, we couldn’t make id directly. I had to either find a property that exposes the identity of another user or expose id with another vulnerability.

I was a little disappointed. but I didn’t give up. I searched for more. And 5 hours later I found a way to reveal your ID

I found such a feature in the web application. I found that you can invite other users to your group. But all you needed was the user’s first name, last name, and email. I wrote the name, surname and e-mail of the account I just created and sent an invitation and that user’s profile fell into my account.