Salt Security Report Surfaces GraphQL API Vulnerabilities
Salt Security today released a report highlighting a vulnerability its researchers discovered in an application programming interface (API) based on the GraphQL specification implemented by an undisclosed financial services firm.
Michael Isbitski, technical evangelist for Salt Security, said that as far as the researchers at Salt Labs could determine the vulnerability has yet to be exploited, but the report is intended to alert cybersecurity teams to the need to secure this emerging class of APIs that developers are starting to use more widely as an alternative to REST APIs.
The vulnerability involves how authorization to a GraphQL API is managed when queries are nested, said Isbitski. Salt Labs researchers found that the failure to implement authorization checks correctly meant the researchers could submit unauthorized transactions against any customer account for which they could collect sensitive customer data.
The financial technology platform cited in the report also introduced an additional security gap through which some API calls accessed an API endpoint with no authentication required. Salt Labs researchers could enter any transaction identifier and pull data records of previous financial transactions.
Using those two vulnerabilities, Salt Labs researchers reported, it would be possible for attackers to both extract sensitive personally identifiable information (PII) and transfer funds from a customer’s account without their knowledge.
In general, cybercriminals are increasingly focusing attacks on APIs because the developers that create them often have little to no cybersecurity expertise. Salt Security’s third-quarter 2021 State of API Security Report found 62% of organizations have no API security strategy in place or, if they do, it is a very basic one.
In some cases, developers are betting that cybercriminals are not yet scanning for GraphQL APIs because they are not yet widely used in production environments, said Itsbitski. However, as GraphQL becomes more popular, it’s only a matter of time before cybercriminals look for ways to exploit them, he noted. Security by obscurity is never a good strategy, added Itsbitski. APIs built using GraphQL are also more challenging to secure because of their unique call and response formats.
GraphQL, originally created by Facebook, is gaining traction as an alternative to REST APIs because it gives developers more control over how data is accessed via an API using a set of query capabilities. Most IT organizations, however, will not be replacing REST APIs with GraphQL APIs overnight. Many applications may wind up invoking external services via both REST and GraphQL APIs for many years to come. As such, it’s imperative for organizations to be able to secure both GraphQL and REST APIs using a common security platform, said Itsbitski.
It’s not clear whether security concerns will slow down the adoption of GraphQL APIs and to what degree. Most cybersecurity teams, however, are not able to dictate which APIs developers are allowed to employ; it’s largely up to cybersecurity teams to discover what APIs are being used throughout the enterprise. The challenge they face is that cybercriminals are also looking for those same APIs—all they need to do is find the right one that allows them to wreak havoc.
