"Researchers Discover GraphQL Authorization Flaws in FinTech SaaS Platform"
New Application Programming Interface (API) threat research from Salt Labs highlights GraphQL API authorization vulnerabilities contained by a B2B financial technology (FinTech) platform. Findings from the analysis of this FinTech provider's mobile applications and Software-as-a-Service (SaaS) platform bring further attention to authorization-level flaws that emerge with nested queries in GraphQL, which is an open-source language used in building APIs. According to Salt Labs, failure to properly implement authorization checks meant that unauthorized transactions could be submitted against any customer account, and malicious actors could harvest any customer's sensitive data. GraphQL provides some advantages in query options compared to REST APIs, but this flexibility poses a risk as a single API call can include multiple separate queries. The Salt Security State of API Security Report, Q3 2021, revealed that over 60 percent of organizations lack or just have a basic API security strategy. This lack of protection is significant because cyberattacks targeting APIs are increasing together with the adoption of relatively new technologies such as GraphQL. The exploitation of the GraphQL authorization flaws could allow attackers to manipulate API calls into exfiltrating sensitive user data and initiating unauthorized transactions. Salt Labs researchers were able to enter any transaction identifier and gather data records of previous financial transactions. Through the discovered vulnerabilities, any user could extract a customer's sensitive Personally Identifiable Information (PII) and secretly transfer funds out of customers' accounts. These findings emphasize the importance of implementing dedicated API security tooling for organizations with API-based applications and platforms. This article continues to discuss the GraphQL API authorization flaws and the importance of improving API security.