GraphQL Internal Server Error Twitter Denied by hackerone again

dbms submitted a report to X (Formerly Twitter).
October 3, 2022, 4:27pm UTC
Summary:
GraphQL Internal Server Error
Description:
{“errors”:[{“message”:”Something went wrong”,”extensions”:{“name”:”InternalServerError”,”source”:”Server”,”code”:0,”kind”:”Unknown”,”tracing”:{“trace_id”:”f3d2ad236f79bf27"}},”code”:0,”kind”:”Unknown”,”name”:”InternalServerError”,”source”:”Server”,”tracing”:{“trace_id”:”f3d2ad236f79bf27"}}]}
Steps To Reproduce:
Go to https://api.twitter.com/graphql/4S2ihIKfF3xhp-ENxvUAfQ/UserByScreenName?variables=%7Btest%7B
Or we can curl https://api.twitter.com/graphql/4S2ihIKfF3xhp-ENxvUAfQ/UserByScreenName?variables=%7Btest%7B {“errors”:[{“code”:215,”message”:”Bad Authentication data.”}]}
Impact: [add why this issue matters]
In link one
https://api.twitter.com/graphql/4S2ihIKfF3xhp-ENxvUAfQ/UserByScreenName?variables=%7Btest%7B
{“errors”:[{“message”:”Something went wrong”,”extensions”:{“name”:”InternalServerError”,”source”:”Server”,”code”:0,”kind”:”Unknown”,”tracing”:{“trace_id”:”f3d2ad236f79bf27"}},”code”:0,”kind”:”Unknown”,”name”:”InternalServerError”,”source”:”Server”,”tracing”:{“trace_id”:”f3d2ad236f79bf27"}}]}
Impact
Code Injection
bugtriage-jay

changed the status to Needs more info.
October 3, 2022, 4:35pm UTC
Thank you for your report
We have reviewed the information you have provided, and we’d like some clarification on the security risk this behavior presents to Twitter’s users or infrastructure. Based on the returned error from the curl request “Bad Authentication data”, this endpoint appears to require authentication to make requests.
Please keep in mind that our HackerOne program does not generally accept theoretical or potential reports, and requires that researchers demonstrate how the behavior they have found can be used in an attack. With that in mind, can you demonstrate how this behavior could be leveraged against Twitter’s users or infrastructure? Can you provide reproduction steps which show a working attack that relies on this behavior?
Thanks for thinking of Twitter security.
dbms

changed the status to New.
October 3, 2022, 6:27pm UTC
so with that being said it would be out of scope for me to fuzz / element manipulate it but happy to help in any way thank you for taking the time out of your day to review and respond so quickly i am new to doing writeups and reporting these kind of things and i do not want to break the twitter tos in any way shape or form ❤
dbms

posted a comment.
Updated October 3, 2022, 6:29pm UTC
also if we go here https://api.twitter.com/graphql/4S2ihIKfF3xhp-ENxvUAfQ/ it says get is not allowed with permission would love to see what i can do
bugtriage-jay

closed the report and changed the status to Informative.
Updated October 3, 2022, 6:30pm UTC

Thank you for your response,
As you have been unable to provide sufficient technical information indicating that this behavior can be utilized in an attack against Twitter’s users or its infrastructure, we will close this report as Informative. Please also be advised our scope is clearly defined at our Program Page.
Regardless, we do appreciate your efforts here, and we hope you’ll continue reporting security issues to us in the future.
Thank you for thinking of Twitter security.