Let’s Talk About The GraphQL API Authorization Vulnerability

Let’s Talk About The GraphQL API Authorization Vulnerability

Dec 10, 2021 | Data & Cybersecurity

GraphQL API Authorization Vulnerability

Cybersecurity firm Salt Labs recently discovered a “GraphQL API authorization vulnerability” in a large B2B financial technology platform. This vulnerability would give attackers ways to submit unauthorized transactions against customer accounts, harvest sensitive data and initiate unauthorized transactions. What exactly is a GraphQL API authorization and why should security teams be concerned with this particular vulnerability? 

Before we can discuss the GraphQL Authorization Flaws, it’s important to understand what Application Programming Interface (API) means.  Tis’ the season, so here we go.  Shopping…that’s it, plain and simple.  Please allow me to walk you through a shopping scenario to help you understand APIs.

In the good ol’ days when businesses wanted to exchange goods or services, they would walk into a warehouse, take out a paper-based shopping list, and hopefully purchase only what was on the list.

In the good ol’ analog computing days when businesses wanted to exchange information or services, data would be complied into batch files (shopping lists) and exchanged and processed in bulk, via antiquated and insecure protocols, leaving B2B transactions vulnerable.

Fast forward to today.  In today’s fast-moving parallel computing environment, the use of APIs is a must for B2B transactions.  As such, the request and response of those API calls are far more complex, which is a double-edged sword.  Lots of information can be processed almost instantly but checking to make sure everything contained within an API call is valid and secure can be a daunting task (imagine processing thousands of them every second).

So, what can be done to solve this issue?  Document everything!  Understand all data flows and any variables that may be derived from them.  Next, you need to test, and when you’re done, you need to test again, and when you think you’re done testing, get an independent third party to test even more deeply.  While there are lots of sophisticated tools to help in automated testing of APIs (which I highly recommend doing), there’s no substitute for someone putting their hands on the keyboard.

Evidence of a lack of testing can be found in the recent reports of the GraphQL Authorization flaws in the FinTech platform.  One tenet in today’s computing environment will always hold true.  If you don’t thoroughly and regularly test your code, someone will most definitely test it for you, and they may not be so friendly.

The bottom line is this…APIs make the world go round.  The digital economy can’t function without them.  The concern I have is APIs are sometimes treated as an off-the-shelf piece of software without the care and feeding they require.  So make your list, check it twice, then check it again.

Authorization flaws like GraphQL are common in APIs – they land on the OWASP API Security Top 10 list.

Blog Footer Cybersecurity

Ron Bradley

Ron Bradley has been involved with Shared Assessments in some capacity for over 15 years. Notably, Bradley wrote some of the very first questions for the Standardized Information Gathering (SIG) Questionnaire. In this course of time, his hair has transitioned from an afro to his current distinguished style.

With a depth of experience building TPRM programs in financial services (Bank of America) and manufacturing (Reynolds, Trane Technologies), Ron understands how cultures and organizations drive the supply chain and third party process. As Vice President, Ron strives to use his extensive knowledge of Third Party Risk Management to help organizations build programs that realize the full potential of the Shared Assessments toolkit.

Ron’s experience in Europe, Asia and South America has allowed him to assess different vendor environments and to build Third Party Risk Management operations from the ground up across the world. Ron is an expert in risk in the manufacturing environment, Operational Technology, and Operational IoT.

Ron lives in Charlotte, North Carolina, and takes frequent trips to Scottsdale, Arizona. He loves golf, travel, and his Big Green Egg, which brings the people around Ron excessive quantities of love, joy, and happiness. Ron’s 24-year-old daughter and his famed sister Kathleen Bradley (first black game hostess!) bring him great delight.

Connect with Ron on LinkedIn or by email.

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics