Missteps In GraphQL APIs Leading To Vulnerabilities: Salt Labs Research


Salt Security has released new API threat research from Salt Labs that highlights a GraphQL API authorization vulnerability in a B2B financial technology (FinTech) platform. The findings call attention to authorization-level flaws that can arise with nested queries in GraphQL, an open-source query language used to build APIs. These findings were identified by researching the mobile applications and SaaS platform of this FinTech provider, the company added.

Salt Labs found that the failure to implement authorization checks correctly meant the researchers could submit unauthorized transactions against any customer account and harvest any customer’s sensitive data.

According to the Salt Security State of API Security Report, Q3 2021, 62% of organizations have no or just a basic API security strategy in place. This lack of protection is particularly worrisome as cyberattacks targeting APIs are on the rise alongside the adoption of relatively new technologies like GraphQL, which has doubled from 2020 to 2021, according to industry* sources.

In the case of the GraphQL authorization flaw discovered by Salt Labs, attackers can manipulate API calls to exfiltrate sensitive user data and initiate unauthorized transactions. This financial technology platform also introduced an additional security gap, in which some API calls accessed an API endpoint that required no authentication.

Salt Labs researchers could enter any transaction identifier and pull back data records of previous financial transactions. Across these two significant vulnerabilities, any user could extract sensitive personally identifiable information (PII) of any customer, and transfer funds out of customers’ accounts without their knowledge.

Don't miss out great stories, subscribe to our newsletter.

Login/Sign up