Critical vulnerability in GraphQL API platform

A security report details the discovery of a GraphQL API authorization vulnerability in a major B2B financial platform whose exploitation would allow threat actors to conduct unauthorized transactions against the accounts of affected customers, in addition to collecting sensitive information and other malicious tasks due to API call manipulation.

The report, prepared by security firm Salt Labs, does not explicitly mention the name of the affected company as a way to protect users, although researchers say the flaws have already been addressed.

Salt Security researcher Michael Isbitski mentions that the adoption of the GraphQL API is slower than that of REST but is growing rapidly due to the potential benefits for front-end design and performance. A recent survey found that while most companies use REST, GraphQL and other options such as webhooks, WebSockets, GraphQL, and SOAP are gaining great popularity.

The researchers identified this vulnerability in the company’s SaaS platform and in the mobile applications with which it interacts, as a result of the failure in the correct implementation of authorization checks. In addition, experts found that some API calls could access an API endpoint that did not require authentication, allowing threat actors to enter any transaction identifier and retrieve data records from previous financial transactions.

GraphQL APIs are, by themselves, difficult to protect due to their unique flexibility and structure. Roey Eliyahu, CEO of Salt Security, mentioned that GraphQL offers some advantages in query options compared to REST APIs, but this flexibility carries a risk because a single API call could include multiple independent queries.

The researchers explained that authentication and authorization in mobile app designs are often broken or absent because developers focus on usability. Cybercriminals often know that code bases are managed by different teams and look for vulnerabilities in both frontend clients and backend services. SSL or TLS typically encrypt web API communications, which gives businesses the feeling that they are protected when this is different from reality.

Organizations must ensure that each transaction requires authorization and that appropriate verifications are met.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.