WebsiteGear Logo Log In
New User? Sign Up
About | Contact | FAQ
HOME ACCOUNT PRODUCTS NEWS ARTICLES DIRECTORY CLASSIFIEDS FORUMS TOOLS
* Search Job Postings on WebsiteGear Classifieds !
  Home News Website Related Website Development Thursday, May 14, 2026 
Add Press Release News | News Feeds Feeds | Email This News Email


Salt Security Discovers GraphQL Authorization Flaws in FinTech SaaS platform
Thursday, December 16, 2021

Researchers at Salt Labs identify poor authorization enforcement within nested queries accidentally exposed sensitive financial data and PII

PALO ALTO, Calif., Dec. 8, 2021 /PRNewswire/ -- Salt Security, the leading API security company, today released new API threat research from Salt Labs that highlights a GraphQL API authorization vulnerability in a B2B financial technology (FinTech) platform. The findings, which were identified by researching the mobile applications and SaaS platform of this FinTech provider, call attention to authorization-level flaws that can arise with nested queries in GraphQL, an open-source query language used to build APIs. Salt Labs found that the failure to implement authorization checks correctly meant the researchers could submit unauthorized transactions against any customer account and harvest any customer's sensitive data.

"GraphQL provides some advantages in query options compared to REST APIs. With this flexibility, however, comes risk, since a single API call can include multiple separate queries," said Roey Eliyahu, co-founder and CEO, Salt Security. "As GraphQL gains traction, our goal is to provide users with the intelligence, capabilities, and support to develop more secure API environments. Salt Labs is leading the charge to bring awareness to GraphQL-specific risks that have the potential for business disruption and unauthorized data disclosure."

According to the Salt Security State of API Security Report, Q3 2021, 62% of organizations have no or just a basic API security strategy in place. This lack of protection is particularly worrisome as cyberattacks targeting APIs are on the rise alongside the adoption of relatively new technologies like GraphQL, which has doubled from 2020 to 2021, according to industry* sources. In the case of the GraphQL authorization flaw discovered by Salt Labs, attackers can manipulate API calls to exfiltrate sensitive user data and initiate unauthorized transactions. This financial technology platform also introduced an additional security gap, in which some API calls accessed an API endpoint that required no authentication. Salt Labs researchers could enter any transaction identifier and pull back data records of previous financial transactions. Across these two significant vulnerabilities, any user could extract sensitive personally identifiable information (PII) of any customer, and transfer funds out of customers' accounts without their knowledge.

"Without dedicated API security tooling in place, organizations with API-based applications and platforms are opening the door to serious risks. The prevailing assumption in the industry around GraphQL is that these APIs are uncommon, obscure targets of attack and therefore safer," said Michael Isbitski, Technical Evangelist, Salt Security. "This assumption is wrong. Security through obscurity has always been a poor strategy, and the complexity of GraphQL APIs makes securing them more challenging. The Salt Labs research demonstrates that missteps in GraphQL APIs are leading to vulnerabilities and new attack vectors that leave organizations at risk."

Flexibility and complexity increase the difficulty of securing GraphQL APIs. Machine assistance is essential to analyzing the large amounts of API telemetry data necessary to identify access control flaws and behavioral anomalies. API gateways and web application firewalls (WAFs) cannot protect against these attack vectors, and developers cannot identify all issues without the APIs being exercised in runtime.

Salt Labs' latest GraphQL vulnerability research builds on Salt Security's recent updates to the Salt Security API Protection Platform, the industry's first purpose-built API security tool that can protect GraphQL APIs across their entire life cycle. Its capabilities enable GraphQL users to discover APIs, mitigate data exposure, stop attacks, and eliminate vulnerabilities at their source. Applying its API Context Engine (ACE) architecture, a patented AI- and ML-based Big Data engine, the Salt Security platform parses the complex structure of each GraphQL query to identify unique object entities, delivering a complete inventory of GraphQL APIs and a baseline for identifying and stopping attacks. The platform also integrates with popular DevOps tools to streamline remediation.

Read the complete GraphQL authorization vulnerability report from Salt Labs, including steps to diagnose this misconfiguration and suggested mitigation techniques.

To learn more about Salt Security, its platform, or request a demo, please visit https://content.salt.security/demo.html.

Source: https://nordicapis.com/key-takeaways-from-rapidapis-2020-developer-survey/

About Salt Labs
Salt Labs furthers the broader Salt Security mission to enable innovation through APIs. A public forum for publishing research on API vulnerabilities, Salt Labs is dedicated to educating the market on the latest in API threats and security incidents. The Salt Labs security research team focuses on discovering API vulnerabilities in the wild, documenting the tactics of threat actors, and helping organizations avoid or remediate the risk. For more information, please visit https://salt.security/salt-labs.

About Salt Security
Salt Security protects the APIs that form the core of every modern application. Its API Protection Platform is the industry's first patented solution to prevent the next generation of API attacks, using machine learning and AI to automatically and continuously identify and protect APIs. Deployed in minutes, the Salt Security platform learns the granular behavior of a company's APIs and requires no configuration or customization to pinpoint and block API attackers. Salt Security was founded in 2016 by alumni of the Israeli Defense Forces (IDF) and serial entrepreneur executives in the cybersecurity field and is based in Silicon Valley and Israel. For more information, please visit: https://salt.security.

Press Contact
Dex Polizzi
Lumina Communications for Salt Security
Salt@luminapr.com

View original content to download multimedia:https://www.prnewswire.com/news-releases/salt-security-discovers-graphql-authorization-flaws-in-fintech-saas-platform-301440052.html

SOURCE Salt Security



Email This News Email | Submit To Slashdot Slashdot | Submit To Digg.com Digg | Submit To del.icio.us Del.icio.us | News Feeds Feeds

RELATED NEWS ARTICLES
Nav Asetek - Mandatory Notification of Trade | Jan 22, 2026
Nav BC.GAME to Host "Stay Untamed" Night During Abu Dhabi's Packed Web3 Summit Week | Jan 22, 2026
Nav Rent Manager Earned Best Real Estate Software Product Award and Multiple Review Badges from G2 Platform | Jan 22, 2026
Nav Tomorrowland Brings the Magic to Shanghai for a Spectacular First Indoor Edition in China | Jan 22, 2026
Nav Auburn University's Applied Research Institute Expands Advanced Manufacturing Capabilities with CF3D Enterprise Cell | Jan 22, 2026
Nav California Divorce Mediation Center Unveils Modern Website Redesign | Jan 22, 2026
Nav AMPERA ANNOUNCES LOCATION FOR GLOBAL HEADQUARTERS | Jan 22, 2026
Nav Gemmy Alerts Customers: Fake Websites Target Holiday Decorators | Jan 22, 2026
Nav Culture and tourism sectors thrive in Xiamen | Jan 22, 2026
Nav AMPLIFY Named Finalist in Three Categories at the 2026 Golden Gavel Awards | Jan 22, 2026
NEWS SEARCH
Survey Software
Survey Software
Click Tracking Software
Click Tracking
Poll Software
Poll Software
Rating Software
Rating Software
FEATURED NEWS | POPULAR NEWS
Submit News | View More News View More News
Copyright © 2003-2026 WebsiteGear Inc. All rights reserved. WEBSITEGEAR® is a registered trademark of WebsiteGear Inc.