A normal invite feature revealed registered accounts, internal GraphQL identifiers, and user metadata through an overly detailed API response.

Hello readers,

I hope you’re all doing great.

In today’s article, I want to walk you through a real-world vulnerability I found while testing a GraphQL-based invitation feature on target.com. What made this finding interesting was how normal it looked at first.

It was not a classic XSS. It was not an account takeover. It was not an admin panel bypass. It was not even a hidden endpoint that immediately looked dangerous.

It was just an invitation feature.

But sometimes, the most useful bugs are hidden inside normal business workflows. A feature that allows users to invite other people into a workspace, team, class, project, or community can easily become a source of sensitive data exposure if the backend reveals too much information.

That is exactly what happened here.

While testing the application, I noticed that the platform allowed an authenticated user to create a community and invite multiple users by email. The functionality itself was…