Cybersecurity firm Salt Labs recently discovered a “GraphQL API authorization vulnerability” in a large B2B financial technology platform. This vulnerability would give attackers ways to submit unauthorized transactions against customer accounts, harvest sensitive data and initiate unauthorized transactions. What exactly is a GraphQL API authorization and why should security teams be concerned with this particular vulnerability?
Before we can discuss the GraphQL Authorization Flaws, it’s important to understand what Application Programming Interface (API) means. Tis’ the season, so here we go. Shopping…that’s it, plain and simple. Please allow me to walk you through a shopping scenario to help you understand APIs.
In the good ol’ days when businesses wanted to exchange goods or services, they would walk into a warehouse, take out a paper-based shopping list, and hopefully purchase only what was on the list.
In the good ol’ analog computing days when businesses wanted to exchange information or services, data would be complied into batch files (shopping lists) and exchanged and processed in bulk, via antiquated and insecure protocols, leaving B2B transactions vulnerable.
Fast forward to today. In today’s fast-moving parallel computing environment, the use of APIs is a must for B2B transactions. As such, the request and response of those API calls are far more complex, which is a double-edged sword. Lots of information can be processed almost instantly but checking to make sure everything contained within an API call is valid and secure can be a daunting task (imagine processing thousands of them every second).
So, what can be done to solve this issue? Document everything! Understand all data flows and any variables that may be derived from them. Next, you need to test, and when you’re done, you need to test again, and when you think you’re done testing, get an independent third party to test even more deeply. While there are lots of sophisticated tools to help in automated testing of APIs (which I highly recommend doing), there’s no substitute for someone putting their hands on the keyboard.
Evidence of a lack of testing can be found in the recent reports of the GraphQL Authorization flaws in the FinTech platform. One tenet in today’s computing environment will always hold true. If you don’t thoroughly and regularly test your code, someone will most definitely test it for you, and they may not be so friendly.
The bottom line is this…APIs make the world go round. The digital economy can’t function without them. The concern I have is APIs are sometimes treated as an off-the-shelf piece of software without the care and feeding they require. So make your list, check it twice, then check it again.
Authorization flaws like GraphQL are common in APIs – they land on the OWASP API Security Top 10 list.