IDOR vulnerability in unreleased HackerOne Copilot feature

**Summary:** Hello HackerOne security team :-) For a while now I have been monitoring H1 js files. I've just noticed some new GraphQL queries about `HackerOne Copilot`. While this feature has not yet been released, the vulnerability must be fixed. `DestroyLlmConversation` GraphQL mutation is vulnerable to IDOR. ### Steps To Reproduce 1. Navigate to `https://hackerone.com/opportunities/all` 2. Execute this JS command to show `Hackerone Copilot` GUI ```javascript document.querySelectorAll('div').forEach(e => { e.classList.remove('hidden'); e.classList.remove('dark:text-white'); }); ``` {F2790650} 3. Hackerone Copilot GUI will appear, here you can create a new conversation. Looks like you can't talk to LLM at the moment. 4. After creating a new conversation, look for `"operationName":"NewConversation",` graphql request in your `Proxy History` and store somewhere the value of `data.newConversation.llm_conversation.id` from the response. 5. From the second (attacker) account, send the following graphql request: ```json {"operationName":"DestroyLlmConversation","variables":{"llmConversationId":"#"},"query":"\n mutation DestroyLlmConversation($llmConversationId: ID!) {\n destroyConversation(input: { llm_conversation_id: $llmConversationId }) {\n destroyed\n }\n }\n"} ``` 6. Go back to the victim account, refresh the page, execute the script again, and notice that the conversation is gone. ## Impact This vulnerability allows the attacker to remove any LLM conversation in the unreleased `HackerOne Copilot` feature. This feature has not been released yet although this might still be vulnerable in the future when this feature is released.