Task 1 of 4

How a Researcher Stole 700M LinkedIn Profiles via GraphQL

In 2021, a data broker published a dataset containing scraped data from 700 million LinkedIn profiles — roughly 92% of LinkedIn's entire user base at the time. While LinkedIn called it "scraping" rather than a breach, the underlying mechanism involved abusing a public GraphQL API to enumerate user data in bulk.

GraphQL APIs are particularly attractive to attackers because of a feature called introspection — the API's built-in ability to describe itself completely. Where a REST API might have dozens of undocumented endpoints that take time to discover, a GraphQL API with introspection enabled hands you a complete schema map on request.

WHY GRAPHQL IS A DIFFERENT ATTACK SURFACE
Single endpoint
REST has /users, /posts, /orders. GraphQL has /graphql — everything goes through one endpoint. Traditional scanners miss it.
Self-documenting
Introspection query reveals ALL types, fields, queries, and mutations — the full API map. No need to guess endpoints.
Flexible queries
One query can fetch deeply nested data. IDOR in one field exposes data across many related types.
Often unprotected
Developers leave GraphiQL (the interactive IDE) and introspection enabled in production — treating it like a dev-only feature.
Batching
GraphQL allows multiple operations in one HTTP request — a single POST can contain 1,000 login attempts, bypassing rate limits.

The Shopify GraphQL IDOR — $20,000 bounty

In 2019, a researcher discovered that Shopify's GraphQL API had a Broken Object Level Authorization (BOLA) vulnerability. By querying order(id: VICTIM_ORDER_ID) with their own authenticated session, they could retrieve order details from any Shopify merchant — not just their own. The data included customer names, addresses, and payment summaries.

The root cause: the GraphQL resolver checked whether you were authenticated but not whether the data belonged to you.

1

What is GraphQL introspection and why is it dangerous in production?

Answer all 1 question to continue