Identified a hidden GraphQL endpoint in a popular app iOS version, allowing user ID swaps (IDOR) to access 20M+ users’ PII data (emails, names, photos).
Reported via
@Hacker0x01
& secured a $2200 bounty! 🛠️🔐
#DataBreach
#BugBounty
#appsec
@lohigowda_in
@Hacker0x01
First congratulations on the finding.
Second: this should be higher than just $2.200. The minimum could be $10k, even higher.