Not too long ago, I was bored and decided to check the security of some apps on my phone. I had a community app installed which I decided to check. I noticed it had a GraphQL API and had made the mistake of having Introspection enabled. Seeing this initial issue, I was intrigued.

And I was very right to be intrigued. I made a request to update my profile in the app. I sent it and got back user data for me. Looking at the data, I tried changing things that might be sensitive.

As you see above, I was able to change my user ID, make myself administrator in specific communities and give myself administrator permissions over the whole application.

Some time later, I continued exploring and found that I can query other user’s information. All user IDs are quite random, but the IDs get leaked in other places in the app, for example when sending messages. Therefore, I could find some ID and get the info of the person who sent the message:

The last critical issue I found is one with the authentication in the app. It allows you to log in using your phone number. The problem here was that after the auth code was sent you could just brute force the pin sent with no rate-limiting, so you would get a valid session after some attempts.

All the issues mentioned here have been sent to the app owner, who has now fixed them.