IDORHackerOnegraphqlmutation-idorfinancialp2p-transferneobankOPEN

Mutation IDOR on financial operations - need authenticated session to validate

Digital banking platform (US neobank). Mapped GraphQL mutations for critical financial operations: draft transaction deletion, tip refunds, and peer-to-peer transfers. Each mutation accepts a target ID parameter that may not be validated against the authenticated user ownership. Three test scripts are ready to check for IDOR on: (1) delete_draft - can you delete another user pending transaction? (2) refund_tip - can you trigger a refund on another user tip? (3) P2P transfer manipulation - can you alter the recipient or amount? Every mutation requires valid authenticated session cookies. QA account enrollment was declined. If any IDOR vector confirms, this is a P1/P2 financial impact finding. Need someone with an active account who can execute pre-written Python scripts against the GraphQL endpoint.