A critical vulnerability in a widely used B2B fintech platform let security researchers “submit unauthorized transactions against other customers” and harvest user data as a result of GraphQL implementation failures.
That’s according to security firm Salt Security, whose researchers were commissioned to test the platform – which they have not named. They blamed the troubling issue on a flawed GraphQL implementation, alongside other insecure API calls – including one “which accessed an API endpoint that required no authentication”
“The organization employed GraphQL in its technology stack to power the account activities of customers using mobile apps. The organization also leveraged a third-party API to retrieve records of prior customer account transactions. The implementation failed to properly authenticate and authorize customers.
“As a result, Salt Labs researchers were able to submit unauthorized transactions against other customers of the financial services provider… and retrieve PII about customers” Salt Security said.
GraphQL is a query language that describes how to ask for data, and is typically used to load data from a server to a client. API developers often use GraphQL to create a schema to describe all the possible data that clients can query through that service. Whilst designed to make APIs fast, flexible, and developer-friendly, its implementation can result complex authorisation issues that leave gaping security flaws, Salt said.
The report comes as Gartner noted that “protecting web APIs with general purpose application security solutions alone continues to be ineffective. Each new API represents an additional and potentially unique attack vector into your systems” adding in a late 2021 report that “API threat protection technologies are making progress, but aren’t fully mature yet… Modern application architecture trends – including mobile access, microservice design patterns and hybrid on-premises/cloud usage – complicate API security since there is rarely a single “gateway” point at which protection can be enforce” the company added.
GraphQL implementation security issues
The Palo Alto-based, Israel-founded security firm, said it was brought in to help the “large consumer brand that offers a combination of B2B and B2C offerings” and was “sharing the findings here to increase awareness around API vulnerabilities, including explaining the attack pattern, detailing the steps to propagating the attack, and highlighting mitigation techniques”, adding that “maintaining the anonymity of this service provider is essential, so we have sanitized any technical details that could identify the organization.”
Salt initially published a blog on the issue in early December. It went somewhat underreported, and The Stack is revisiting it to share lessons learned on the GraphQL API implementation issues as shared by Salt.
“These security vulnerabilities were located on a GraphQL API endpoint, an API type that has grown in popularity over REST APIs for mobile app designs” the company noted in a detailed technical blog.
It added: “The organization was not authenticating or authorizing requests by cross-checking the identity of the sender during funds transfer requests. Similar attack techniques work for both GraphQL and REST API designs. The complexity of GraphQL, such as nested queries, often exacerbates the challenges of authorization, since a single API call can consolidate multiple queries and API endpoints.”
