| CVE-2021-4191: GitLab GraphQL API User Enumeration (FIXED) |
|
|
|
| Disclose Ad Accounts linked with Instagram Accounts |
|
|
|
| How I got my first bounty on financial sector gateway site by using Previous GraphQL vulnerabilities. |
|
|
|
| IDOR Vulnerability In GraphQL Api On Website |
|
|
|
| Retrieve Archived Stories Of Any Public Instagram Account. |
|
|
|
| Access to CrowdTangle Deletion Framework API |
|
|
|
| Bulletin.com email address leak |
|
|
|
| This is how I was able to see Private, Archived Posts/Stories of users on Instagram without following them |
|
|
|
| Disclose leads form details of any Facebook Business Account or Facebook Page (Bug Bounty) |
|
|
|
| Pwning your assignments: Stored XSS via GraphQL endpoint |
|
|
|
| (POC) Update business fyi message as Facebook page analyst |
|
|
|
| De-anonymize the members of a private Facebook Group as a non-member. |
|
|
|
| Somebody Call The Plumber, GraphQL is Leaking Again… |
|
|
|
| Ability to find Facebook employee’s test accounts which lead to the disclosure of internal information. |
|
|
|
| Access private information about SparkAR effect owners who has a publicly viewable portfolio |
|
|
|
| Confirm if an invitation is sent to a specific email in Partners Portal / Possibility to resend the invitation |
|
|
|
| Expose information about Partner accounts in Partner portal |
|
|
|
| Leaking Facebook user information to external websites / Setting some cookies values |
|
|
|
| Make recruiting referrals on behalf of employees |
|
|
|
| GraphQL IDOR in Facebook streamer dashboard. |
|
|
|
| How I lost my followers on Medium |
|
|
|
| Graphql Bug to Steal Anyone’s Address |
|
|
|
| GraphQL abuse: Bypass account level permissions through parameter smuggling |
|
|
|
writeups.xyz
/
GraphQL