This blog post is instead about looking at the normal operation of a GraphQL query, looking closely at the response and then using that information to feed back into the request (the GraphQL query itself), to, you got it, make it do something it wasn’t intended to do – resulting in account take over in this instance.