The Hidden Language: Exploiting GraphQL for Unauthorized Data Dump
1 min read
Summary
A cybersecurity researcher has found a way to exploit the GraphQL, a data-fetching query language, to obtain unauthorized data dumps.
The researcher, known as iski, stumbled across the issue while doing reconnaissance on a target company’s app, where they discovered a GraphQL endpoint.
Although the endpoint returned an error at first glance, iski investigated further and found that it was possible to manipulate the error message to extract internal data.
By capitalizing on the flexibility of GraphQL and the fact that some implementations do not sanitize error messages adequately, iski was able to use the endpoint to extract internal data, including account information.
The researcher highlights the need for companies to properly sanitize error messages and to be aware of the risk of data exposure when using GraphQL.
iski plans to release a PoC (proof of concept) to demonstrate the issue.