DOS via Mutation Aliasing in GraphQL Account Recovery Phone Number Verification API

**Summary:** The GraphQL API’s `verifyAccountRecoveryPhoneNumber` mutation can be aliased multiple times in a single request, causing the server to process each mutation sequentially. Each additional alias adds approximately 8 seconds to the server’s response time, enabling (DoS) attack by exhausting server resources and increasing latency. **Description:** The `verifyAccountRecoveryPhoneNumber` mutation is designed to verify user phone numbers during account recovery phone change. However, the API does not limit the number of mutation aliases in a single GraphQL request. When the same mutation is repeated with different aliases, the server executes each one separately, performing expensive backend operations multiple times. This leads to a linear increase in response time based on the number of aliases included. The result is a resource exhaustion vulnerability that can degrade or deny service availability to legitimate users. ### Steps To Reproduce 1. Prepare a GraphQL mutation request with multiple aliases for `verifyAccountRecoveryPhoneNumber`, In this case, the response time will exceed 20 seconds because each alias (verify1, verify2, verify3) adds approximately 8 seconds of processing time. ```graphql mutation VerifyAccountRecoveryPhoneNumberMutations($verification_code: String!, $otp_code: String) { verify1: verifyAccountRecoveryPhoneNumber(input: { verification_code: $verification_code, otp_code: $otp_code }) { __typename me { } } verify2: verifyAccountRecoveryPhoneNumber(input: { verification_code: $verification_code, otp_code: $otp_code }) { __typename } verify3: verifyAccountRecoveryPhoneNumber(input: { verification_code: $verification_code, otp_code: $otp_code }) { __typename } } } ``` 2. Send the request to the GraphQL endpoint with valid or dummy `verification_code` and `otp_code` variables. 3. Observe the response time increases by 8 seconds for each additional mutation alias included. ## Impact An attacker can exploit this vulnerability to cause a Denial of Service (DoS) by sending a single GraphQL request with multiple aliases of the expensive mutation. This forces the server to perform repeated, resource-intensive operations sequentially, significantly increasing response times and consuming server resources. As a result, legitimate users may experience severe delays or be completely unable to access the affected service, leading to degraded availability and potential service disruption. This DoS attack can be triggered without high network traffic, making it easier to exploit stealthily.