How we found a security misconfiguration in Philips' GraphQL API

It is a misconception that discovering vulnerabilities is only within the domain of developers and hackers. Jacob, an Account Executive at Escape, proves this notion wrong.

What is a vulnerability disclosure?

Vulnerability disclosure is the process of reporting security weaknesses in computer software or hardware. Individuals and groups such as security researchers, IT security teams, and in-house or third-party developers can report these vulnerabilities to the parties responsible for the affected systems. This allows them to investigate, confirm the validity, and take corrective action.

How did we discover Philips' GraphQL vulnerability?

Many people think that finding vulnerabilities is only for tech experts or hackers. But this story proves how intuitive and potent Escape's platform is!

On September 12th, 2023, one of our team members, Jacob Goldblatt, an Account Executive with no technical background, used Escape to test Philips' GraphQL API.

Escape allows users to simply input a domain name, which then results in the discovery and fingerprinting of all associated GraphQL APIs. This feature is incredibly useful, enabling the detection of a company's entire attack surface and assessing the risk associated with each API. With caution, Jacob opted to run a production mode scan on one of Philips' open and non-authenticated GraphQL APIs. This scan was designed to be non-intrusive, ensuring that it wouldn't cause any potential harm to the API.

To his surprise, Jacob identified a security misconfiguration: the GraphQL API was processing requests over HTTP. It's possible for those who are not familiar with why HTTP is a security problem, to view this as insignificant. However, it represents an exploitable security vulnerability: transmitting requests over HTTP, as opposed to the more secure HTTPS, exposes sensitive data to potential man-in-the-middle (MITM) attacks.

It's like sending confidential documents in a see-through envelope, allowing anyone to peek inside rather than in a sealed, opaque envelope.

A screenshot of Escape's platform, displaying the API with a detailed list of security misconfigurations associated with it

Upon recognizing this issue, Jacob quickly reported the security misconfiguration through Philips' Coordinated Vulnerability Disclosure system. Philips promptly acknowledged the issue, confirming it as a genuine vulnerability.

As a token of their appreciation for Jacob's diligence, Philips honored him and Escape by listing us in the Philips coordinated vulnerability disclosure Hall of Honors. This hall celebrates the contributions of researchers who help Philips in ensuring their digital products and services remain safe and secure.

What's next?

This story is not just about an individual finding an exploitable security misconfiguration. It's a testament to the capabilities of Escape. Even someone without a deep understanding of coding, exploiting software, or even access to internal data can spot potential threats overlooked by a company with a security roster consisting of hundreds of professionals, thanks to Escape's user-friendly interface and powerful features.

Escape gives its users the ability to automatically detect your exposed API attack surface by plugging in a domain name and seeing the risk associated with each of those APIs.

Want to test your GraphQL API immediately and ensure no security misconfigurations are accessible to attackers? Sign up for Escape today.

To conclude, Jacob's unanticipated discovery serves as an important reminder that it's not always about having the deepest technical knowledge in the digital age. Sometimes, it's about being armed with the right tools and the will to explore.

Want to learn further how to secure GraphQL APIs? Check out the articles below: