GraphQL abuse: Bypass account level permissions through parameter smuggling

Authorization Bypass

If you’re unfamiliar with GraphQL, here’s a quick refresher: In its most basic use case, GraphQL allows you to call specific fields on objects – but that’s just the beginning.