Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more
Nearly two-thirds of organizations lack at least a basic API security strategy, according to the latest report by Salt Security. This gap in protection is particularly worrisome as cyberattacks targeting APIs are on the rise alongside the adoption of relatively new technologies like GraphQL. GraphQL’s adoption has doubled from 2020 to 2021 and continues to accelerate. However, security awareness around GraphQL is still relatively low. Several aspects of GraphQL API structure can create security risks that can be difficult to assess.
Salt Labs, the research division of Salt Security, identified a novel GraphQL API authorization vulnerability that can arise in nested API queries. Salt Labs identified this vulnerability within a large business-to-business financial technology (fintech) platform, which offers financial services in the form of API-based mobile apps and SaaS to small and medium-sized businesses as well as commercial brands. Researchers were able to launch attacks where any user could submit unauthorized transactions against other customers or harvest sensitive customer data.
This discovered vulnerability enables potential attackers to manipulate API calls in order to exfiltrate data and initiate unauthorized transactions. In addition, researchers found that some API calls were able to access an API endpoint that required no authentication, thus further enabling attackers to enter any transaction identifier and pull back data records of previous financial transactions.
GraphQL’s vulnerabilities are particularly problematic, as the number of developers using GraphQL is accelerating. GraphQL APIs are inherently difficult to secure due to their unique flexibility and structure, which is why Salt Security is investing in this research and providing capabilities to address API security needs in this space.
The organization employed GraphQL in its technology stack to power the account activities of customers using mobile apps. The organization also leveraged a third-party API to retrieve records of prior customer account transactions. The implementation failed to properly authenticate and authorize customers. As a result, Salt Labs researchers were able to submit unauthorized transactions against other customers of the financial services provider, correlate user account activity, and retrieve PII about customers.
Maintaining the anonymity of this service provider is essential, so technical details that could identify the organization have been sanitized. Upon identifying the vulnerability, Salt Labs’ delivered its findings and provided recommended mitigation to the organization following responsible disclosure policies. As part of the broader Salt Labs mission, the company is sharing the findings to increase awareness around API vulnerabilities, including attack patterns, steps to propagating the attack, and highlighting mitigation techniques.
Read the full report by Salt Security.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.
Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more