Salt Security published a study today outlining a vulnerability uncovered by its researchers in an application programming interface (API) based on the GraphQL standard deployed by an unnamed financial services organisation.
According to Michael Isbitski, technical evangelist for Salt Security, the vulnerability has yet to be exploited as far as the Salt Labs researchers can tell, but the report is intended to alert cybersecurity teams to the need to secure this emerging class of APIs that developers are beginning to use more widely as an alternative to REST APIs.
According to Isbitski, the vulnerability is related to how permission to a GraphQL API is handled when queries are nested. Researchers at Salt Labs discovered that if permission checks were not properly implemented, the researchers may submit fraudulent transactions against any client account and obtain sensitive user data.
The financial technology platform mentioned in the study also added an additional security flaw by allowing some API requests to reach an API endpoint without requiring authentication. Researchers at Salt Labs could enter any transaction identification and retrieve data records for past bank transactions.
Salt Labs researchers discovered that using these two vulnerabilities, attackers may collect sensitive personally identifiable information (PII) as well as transfer payments from a customer’s account without their knowledge.
In general, thieves are increasingly targeting APIs since the developers who construct them frequently lack cybersecurity skills. According to Salt Security’s third-quarter 2021 State of API Security Report, 62 percent of enterprises have no API security plan in place or have a very poor one.
According to Itsbitski, some developers are wagering that cybercriminals are not currently searching for GraphQL APIs because they are not yet commonly used in commercial contexts. However, if GraphQL grows more popular, he believes it would only be a matter of time before attackers hunt for methods to abuse it. Itsbitski said that security via obscurity is never a smart method. APIs designed using GraphQL are additionally more difficult to protect due to their distinct call and response forms.
GraphQL, which was developed by Facebook, is gaining popularity as an alternative to REST APIs because it provides developers with greater control over how data is accessible via an API through a set of query capabilities. Most IT businesses, on the other hand, will not replace REST APIs with GraphQL APIs overnight. For many years to come, many apps may end up contacting external services via both REST and GraphQL APIs. As a result, Itsbitski believes that enterprises must be able to safeguard both GraphQL and REST APIs using a single security platform.
It is unclear whether and to what extent security issues will delay the adoption of GraphQL APIs. Most cybersecurity teams, on the other hand, are unable to mandate which APIs developers are permitted to use; it is mostly up to cybersecurity teams to determine which APIs are being utilised throughout the company. The problem is that fraudsters are hunting for the same APIs they are—all they need to do is locate the appropriate one that allows them to wreak havoc.