Read-only team members can read all properties of webhooks
Low
H
HackerOne
Submitted None
Actions:
Reported by
bencode
Vulnerability Details
Technical details and impact analysis
**Description:**
A team member can view all properties of webhooks despite not needing them.
### Steps To Reproduce
1. Have an admin of a program setup webhooks
2. As a team member (read-only)log in
3. Run the following graphql query:
```
{
query {
team(handle: "security") {
name
webhooks {
nodes {
id
secret
url
}
}
}
}
}
```
4. See that you get data back
## Impact
Read only users will be able to identify where webhooks exist and secrets
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Improper Access Control - Generic