.png)
2 months ago
34 BOOK THIS SPACE FOR AD
ARTICLE AD
The target is a web application that use Graphql as API. In recent times, the application has new feature which was a service account. This service account is mainly used to create an API Key that could be used to integrate this app with other application.
While doing test using the service account API key in the Graphql endpoint, I found an interesting information while querying the “me” query. This “me” query basically show the information about the current user.
The service account has email address and it used a specific format : redacted-service-account-<org_id>@email.com
What would happen if I invite another user service account email address to my organization ?
Little note : based on my previous analysis. If we invite a non registered user the server will create that user in database. This app also doesn’t have login feature with email address. It must use OAuth from the “main” app
Then I create this step by step attack scenario
I create 2 accounts. Account A as attacker and account B as victim
Bengali (Bangladesh) · 
English (United States) ·