Hey folks, welcome back to another deep dive into the wild world of bug bounties! Today, we’re unpacking a slick vulnerability report that snagged a cool $1000 bounty on HackerOne. This report (858671) shines a spotlight on a sneaky GraphQL flaw in GitLab that let project maintainers users who shouldn’t be able to wipe out entire repositories like they were deleting spam emails.

I’ll break it down step by step: the what, the why, the how-to-reproduce, and the fallout. (Pro tip: GitLab fixed this beast, but understanding it could save your next API from a similar facepalm.)

The Setup: GitLab’s Permission Puzzle

GitLab is a powerhouse for code collab think GitHub but with more enterprise flair. In a typical project, roles are locked down tight:

• Developer: Can code, review, but no deleting projects.
• Maintainer: Can manage merges, issues, and snippets, but crucially, cannot delete or archive the repository. That’s owner/admin territory.

Enter GraphQL: GitLab’s shiny API for querying and mutating data efficiently. It’s…