I’m not even too sure why this one works, but basically by changing the JSON object sent in results in being able to login in as (presumably) arbitrary accounts.

Basically the normal login request would look like:

{
  "email":"test@example.com",
  "password":"example"
}

Changing this to

{
  "root": {
    "email":"test@example.com",
    "password":"example"
  }
}

Would login as an administrative account. My best guess is that this might have been closer to a SQL Injection style issue. On the server end some code may have been processing this to turn it into a sane query using the keys from the JSON dictionary. Perhaps similar in nature to the MySQLjs issue we covered a few weeks ago.

It is definitely an interesting test case to keep in mind though, some application try to be too smart for their own good.