Technical data

Salt Security Discovers GraphQL Authorization Flaws in FinTech SaaS Platform


PALO ALTO, California, December 8, 2021 / PRNewswire / – Safety salt, the leading API security company, today released new research into API threats from Salt laboratories which highlights a GraphQL API authorization vulnerability in a B2B financial technology platform (FinTech). The findings, which were identified by researching this FinTech vendor’s mobile apps and SaaS platform, call attention to permission-level loopholes that can arise with nested queries in GraphQL, a language of open source query used to create APIs. Salt Labs found that failure to properly implement authorization checks meant researchers could submit unauthorized transactions to any customer account and collect sensitive data from any customer.

“GraphQL offers some advantages in query options over REST APIs. This flexibility comes with risks, however, as a single API call can include multiple distinct requests, ”said Roey eliyahu, co-founder and CEO of Salt Security. “As GraphQL gains traction, our goal is to provide users with the intelligence, capabilities and support needed to develop more secure API environments. data disclosure. “

According to Salt Security State of API Security Report, Q3 2021, 62% of organizations have no or only basic API security strategy in place. This lack of protection is particularly concerning as cyber attacks targeting APIs are on the rise alongside the adoption of relatively new technologies like GraphQL, which doubled from 2020 to 2021, according to industry sources *. In the case of the GraphQL authorization flaw discovered by Salt Labs, attackers can manipulate API calls to exfiltrate sensitive user data and initiate unauthorized transactions. This fintech platform also introduced an additional security hole, in which some API calls accessed an API endpoint that did not require authentication. Salt Labs researchers could enter any transaction ID and extract data records from previous financial transactions. Through these two important vulnerabilities, any user could extract sensitive Personally Identifiable Information (PII) from any customer and transfer funds out of customer accounts without their knowledge.

“Without dedicated API security tools in place, organizations with API-based applications and platforms open the door to serious risks. The prevailing assumption in the industry around GraphQL is that these APIs are rare and obscure attack targets and therefore more secure, ”said Michel Isbitski, Technical Evangelist, Salt Security. “This assumption is wrong. Obscurity security has always been a bad strategy, and the complexity of GraphQL APIs makes securing them more difficult. Salt Labs research shows that missteps in GraphQL APIs lead to vulnerabilities and new attack vectors that leave organizations at risk. “

The flexibility and complexity increase the difficulty of securing GraphQL APIs. Machine support is essential to analyze the large amounts of API telemetry data needed to identify access control flaws and behavioral anomalies. API gateways and web application firewalls (WAFs) cannot protect against these attack vectors, and developers cannot identify all issues without APIs being exercised at runtime.

Salt Labs Latest GraphQL Vulnerability Research Builds on Recent Salt Security Updates Salt Security API Protection Platform, the first API security tool specifically designed to protect GraphQL APIs throughout their lifecycle. Its capabilities allow GraphQL users to discover APIs, mitigate data exposure, stop attacks, and eliminate vulnerabilities at their source. Applying its API Context Engine (ACE) architecture, a patented big data engine based on AI and ML, the Salt Security platform analyzes the complex structure of each GraphQL query to identify unique object entities, providing a Complete inventory of GraphQL APIs and a baseline. to identify and stop attacks. The platform also integrates with popular DevOps tools to streamline remediation.

Read the full GraphQL Authorization Vulnerability Report from Salt Labs, including the steps to diagnose this misconfiguration and suggested mitigation techniques.

To learn more about Salt Security, its platform, or to request a demo, please visit


About Salt Labs
Salt Labs continues Salt Security’s broader mission to enable innovation through APIs. A public forum for publishing API vulnerability research, Salt Labs is dedicated to educating the market about the latest API security threats and incidents. Salt Labs’ security research team is focused on uncovering API vulnerabilities in the wild, documenting threat actor tactics, and helping organizations avoid or correct the risk. For more information, please visit

About Salt Security
Salt Security protects the APIs that are the heart of every modern application. Its API Protection Platform is the industry’s first patented solution to prevent the next generation of API attacks, using machine learning and AI to automatically and continuously identify and protect APIs. Deployed in minutes, the Salt Security platform learns the granular behavior of an organization’s APIs and requires no configuration or customization to identify and block API attackers. Salt Security was founded in 2016 by former Israel Defense Forces (IDF) and leaders of serial cybersecurity entrepreneurs and is based in Silicon Valley and Israel. For more information, please visit:

press contact
Dex polizzi
Lumina Communications for Salt Security
[email protected]

SOURCE Safety Salt