Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3287208 by hellokbit
Summary:
The GraphQL API’s verifyAccountRecoveryPhoneNumber mutation can be aliased multiple times in a single request, causing the server to process each mutation sequentially. Each additional alias adds approximately 8 seconds to the server’s response time, enabling (DoS) attack by exhausting server resources and increasing latency.
Description:
The verifyAccountRecoveryPhoneNumber mutation is designed to verify user phone numbers during account recovery phone change. However, the API does not limit the number of mutation aliases in a single GraphQL request. When the same mutation is repeated with different aliases, the server executes each one separately, performing expensive backend operations multiple times. This leads to a linear increase in response time based on the number of aliases included. The result is a resource exhaustion vulnerability that can degrade or deny service availability to legitimate users.
verifyAccountRecoveryPhoneNumber,
In this case, the response time will exceed 20 seconds because each alias (verify1, verify2, verify3) adds approximately 8 seconds of processing time.
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3168691 by joejoe5
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3558277 by uv3doble
hackerone-reportsHackerOne disclosed report --> https://hackerone.com/reports/3475626 by dphoeniixx
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In