+++ title = "Airbuds" date = 2024-12-16 slug = "airbuds" description = "Trying to break their api." draft = true

[taxonomies] tags = ["reverse engineering", "graphql"] +++

Recently my cousin introduced me to the Airbuds app. Naturally I used it for a little bit. Slept a bit. And then booted up Proxypin to see if I could extract phone numbers from the app. With the base requests it appeared that I couldn't (:sadge:). I could get my phone number for my own profile however so I knew that it was likely stored in a user record somewhere (editor kieran: umm yeah duh). The more interesting part of this though was that it was a graphql api.

Phase 2#

Now knowing that it had a graphql api I wanted to see if there was a way to reverse engineer it. I have had suprisingly little experience with them but doing some quick ducking revealed that they can potentially have introspection enabled allowing us to get a full schema of what we can get. That sounds awesome but hopefully from a security standpoint unlikely to be enabled.