A small GraphQL behavior created a very real availability problem.

Most bug bounty hunters look for obvious impact.

Account takeover. Sensitive data leaks. IDORs. SSRF. RCE.

But sometimes the bug is not about stealing data.

Sometimes the right question is:

Can the application be forced to do expensive work repeatedly from a single request?

That was the core idea behind this HackerOne report.

In this article, I am breaking down a Denial-of-Service report involving HackerOne’s GraphQL API, where the verifyAccountRecoveryPhoneNumber mutation could be executed multiple times inside one request using GraphQL aliases.

The original report was submitted by @hellokbit. My goal here is to analyze the thinking approach behind the report and make the vulnerability easy to understand for people learning bug bounty and GraphQL security.

The reported bounty was:

$12,500

This writeup breaks down the reporter’s approach in a simple way, especially for beginner to intermediate bug bounty hunters who are learning GraphQL testing.