From GraphQL Introspection to Critical Data Exposure: Discovering Unauthenticated Access to KYC…

Introduction

While performing security research on a public bug bounty program, I came across what initially appeared to be a routine GraphQL configuration issue. However, a few minutes of investigation revealed something much more serious: unauthenticated access to sensitive KYC verification data and payment records.

This article walks through the discovery process, explains the impact of the vulnerability, and highlights why access control failures remain one of the most critical security issues in modern applications.

Initial Reconnaissance

As part of my normal reconnaissance process, I began by enumerating the organization's public-facing assets and subdomains.

Among the discovered assets was a database-related subdomain that appeared to host a GraphQL service.

At this stage, I had no credentials, API tokens, or authenticated access.

Identifying a GraphQL Endpoint

After examining the service, I identified a publicly accessible GraphQL endpoint.

GraphQL APIs often support schema introspection, a feature that allows developers to explore available queries, mutations, and object types.

To determine whether introspection was enabled, I submitted a standard schema discovery query.

The server responded successfully and returned the complete schema.

This immediately confirmed that the GraphQL endpoint was publicly accessible and exposing its internal structure.

Exploring the Schema

Using the introspection results, I began reviewing available object types and database tables.

Several interesting entities became visible, including tables related to:

• User onboarding
• KYC verification
• Payment processing
• Transaction management

The schema provided a clear map of the application's backend structure.

While schema exposure alone is not always a security issue, it often serves as a valuable starting point for further testing.

Testing Authorization Controls

The next step was to determine whether the API properly enforced authentication and authorization.

I began issuing simple read-only GraphQL queries against a few exposed objects.

To my surprise, the server returned data immediately without requiring:

• Authentication
• Session cookies
• API keys
• JWT tokens

This indicated that authorization controls were either missing or incorrectly configured.

Discovery of KYC OTP Exposure

Further investigation revealed that a KYC-related table was accessible without any authentication.

The returned records contained verification OTP values associated with KYC workflows.

The data was returned directly through GraphQL queries and could be accessed by any external user who knew the endpoint.

This significantly increased the impact of the vulnerability because OTPs are commonly used as part of identity verification processes.

Exposure of such information could potentially undermine the integrity of KYC procedures.

Payment Data Exposure

While reviewing additional tables, I identified payment-related records that were also accessible without authentication.

The exposed information included transaction-related data that should only be accessible to authorized users and internal systems.

Although I limited my testing to the minimum amount of data required for verification, it was clear that sensitive financial information was being exposed publicly.

Why This Vulnerability Was Critical

Many people assume that GraphQL introspection is the primary issue in situations like this.

In reality, introspection was only the entry point.

The critical vulnerability was the absence of proper access controls.

The attack path looked like this:

1. Publicly accessible GraphQL endpoint.
2. Introspection enabled.
3. Internal schema exposed.
4. Sensitive tables identified.
5. Queries executed without authentication.
6. KYC OTPs and payment records exposed.

The root cause was not GraphQL itself but broken authorization.

Potential Impact

If exploited by a malicious actor, this issue could have resulted in:

• Exposure of sensitive user information.
• Compromise of KYC verification workflows.
• Unauthorized access to financial records.
• Large-scale privacy violations.
• Regulatory and compliance consequences.
• Loss of customer trust.

Because no authentication was required, the barrier to exploitation was extremely low.

Responsible Disclosure

After validating the issue, I collected only the minimum evidence necessary to demonstrate impact and avoided any unnecessary access to user data.

A detailed report was then submitted through the organization's responsible disclosure program, including:

• Technical details
• Reproduction steps
• Proof of impact
• Remediation recommendations

The goal of responsible disclosure is always to help organizations improve security while minimizing risk to users.

Lessons Learned

This finding reinforces several important security lessons:

Disable Unnecessary Introspection in Production

While introspection is useful during development, organizations should carefully evaluate whether it is needed in production environments.

Implement Strong Authorization Controls

Every GraphQL query should be protected by appropriate authentication and authorization mechanisms.

Apply Least Privilege Principles

Services should only expose the minimum amount of data necessary for their intended functionality.

Regularly Audit Sensitive Endpoints

APIs handling KYC, financial, or personal information should undergo frequent security reviews.

Conclusion

Modern APIs provide tremendous flexibility and power, but they also expand the attack surface when security controls are not properly implemented.

In this case, a publicly accessible GraphQL endpoint ultimately led to the discovery of unauthenticated access to highly sensitive KYC and payment-related data.

The finding serves as another reminder that even sophisticated applications can be compromised by something as fundamental as missing access controls.

For security researchers, the lesson is simple: always test authorization. Some of the most impactful vulnerabilities begin with a single overlooked endpoint.