Payment Bypass via Payment-Method Manipulation in Order Update Flow

Writeup — Business Logic Vulnerability

Summary

A grocery-delivery platform's GraphQL API trusted a client-supplied paymentMethod value during the order update flow without re-validating authorization for that method. By starting an order with a card that was guaranteed to decline, letting it drop into a PENDING state, and then intercepting the "fix payment" request to swap CARD → INVOICE, an authenticated low-privilege user could push the order to CONFIRMED and into fulfillment without any payment ever being processed.

• Class: Business Logic Error — Insufficient Payment-Method Validation