Issue 142: API vulnerabilities in Coursera and Huawei, GraphQL rate limiting and discovery 🔎

The Latest API Security News, Vulnerabilities and Best Practices
Issue: #142
API vulnerabilities in Coursera and Huawei, GraphQL rate-limiting and discovery
This week, we take a look at the recently reported API vulnerabilities at Coursera and in one of the Huawei home gateways. We also learn about rate-limiting for GraphQL APIs and GraphQL discovery using its autocorrect feature.
Vulnerability: Coursera

Coursera has fixed a number of API vulnerabilities reported by David Sopas, Paulo Silva, Ricardo Gonçalves, and Erez Yalon from Checkmarx:

  • Lack of authentication and authorization for reading or modifying user preferences
  • Account enumeration using the password reset endpoint
  • Lack of resource limiting
  • GraphQL misconfiguration

Their article explains how they found the first of the issues. While using various functions of the web app and observing the API calls that the site was making, they noticed GET calls to the endpoint /api/userPreferences.v1/{USER_ID}~{PREFERENCE_TYPE} that could retrieve 10 different types of user preferences.

When replacing the USER_ID of the authenticated user with that of another user, they noticed that they could still access the preferences data, demonstrating a lack of authorization check in the API. Even worse, they noticed that even without any authentication headers or cookies, they could still access the data, thus showing that the API was not protected by any authentication checks either:


Finally, they tried making PUT calls instead of GET and successfully modified user preferences through that same unprotected endpoint:


Obviously a significant breach of user privacy.

Lessons learned here:

  • Treat your backend APIs as your security boundary, and make sure they are up to it.
  • Ensure that both authentication and authorization checks are in place.
Vulnerability: Huawei DG8045

Device manufacturers often resort to default passwords to make the initial setup easier for consumers. If these passwords are not random, they can make such devices vulnerable to attacks.

A researcher found that Huawei DG8045 home gateway uses the last 8 characters of the device serial number as the default password.

To make things worse, the device exposes that number through a public API call GET /api/system/deviceinfo:


This means that if users don’t change the default password, they clearly risk attackers taking over their home gateway.

Lessons learned here:

  • Non-random default credentials are extremely dangerous and should be avoided.
  • APIs need to be protected with authentication and authorization.
  • The information that your APIs return must be clearly defined, reviewed, and enforced to avoid leaking sensitive information.
  • As a user, always change the password of any device, especially if it has a hard-coded default password, or the password is easily retrievable (like printed on the device or an easy unauthenticated API call).
Best practices: GraphQL and rate-limiting

API4:2019 — Lack of resources and rate-limiting can be a serious API vulnerability. Attackers can stage denial-of-service (DoS) attacks making the system unresponsive, or launch brute-force or scraping scripts to break into the system or retrieve its data. Traditionally, such attacks are prevented with rate limiting, the number of times within a period of time that an API client can call the API.

As Guilherme Vieira from Shopify explains in his article, this approach is not sufficient for GraphQL APIs. GraphQL is effectively a query language over REST APIs that allows sending complex queries and retrieving or modifying multiple objects in one call. This means that some calls can cause a lot more resource consumption than others, making request-based rate-limiting inefficient. One size clearly does not fit all.

To overcome the problem, engineers at Shopify use a point system. API clients get a certain number of complexity points that they can use within a period of time, such as 50 points per second up to a limit of 1,000 points. Then each query gets its complexity score calculated:

  • Objects: One point
  • Scalars and enums: Zero points
  • Connections: Two points plus the number of returned objects
  • Interfaces and unions: One point
  • Mutations: Ten points

The API responses returned to the caller include information on how many points were used and how many remain.

All this makes sure that no API client can go wild and consume more API resources than it is allowed. For more details and specific examples, see the original article.

Penetration testing: Attacking GraphQL Autocorrect

Penetration testers seek to find GraphQL schema information so they can build queries to retrieve the application data. As we have discussed in this newsletter multiple times, this is why it is important to make sure that introspection on GraphQL is not allowed in your production deployments.

In this recording from the null Ahmedabad June Meet, Somdev Sangwan discusses how the Autocorrect feature in GraphQL can be used as an attack vector even after introspection has been switched off, still allowing attackers to discover the schema. His part starts around the 33-minute mark:



Dmitry - transparent circle



Dmitry Sotnikov

Thanks for reading.

That's it for today. If you have any feedback or stories to share, simply reply to this email.

Please forward the newsletter to your friends and colleagues who might benefit from it.

42Crunch, Inc.   95 Third Street  2nd Floor  San Francisco  CA   94103   United States
You received this email because you are subscribed to API Security News from 42Crunch, Inc..

Update your email preferences to choose the types of emails you receive or Unsubscribe from all future emails  

Older messages

Issue 141: API vulnerabilities in VeryFitPro and Gettr, AWS Lambda authorizers, AsyncAPI 2.1 🏅

Saturday, July 10, 2021

Hi, today we have a few recent API vulnerability case studies, a research on possible implementation flaws in AWS Lambda Authorizers, and the The Latest API Security News,

Issue 140: API vulnerabilities at LazyPay, Western Digital, and LinkedIn; IDOR mindmap 🗺️

Thursday, July 1, 2021

Hi, today we look at LinkedIn data getting scraped and WD NAS devices wiped, the recent LazyPay API flaw and an IDOR/BOLA pentesting mindmap The Latest API Security News, Vulnerabilities

Issue 139: API vulnerabilities at Apple, Amazon, and 1Sambayan, upcoming Gartner webinar

Thursday, June 24, 2021

Hi, this week we look at the details of 3 recently reported API vulnerabilities and an upcoming free webinar from Gartner The Latest API Security News, Vulnerabilities and Best Practices

Issue 138: Vulnerabilities in Microsoft Teams and Instagram

Thursday, June 17, 2021

Hi, this week in our newsletter we look at a couple of recent vulnerability reports, awesome-apisecurity repo, and upcoming DevSecCon24. The Latest API Security News, Vulnerabilities and

Issue 137: Vulnerabilities in VMware vCenter and Apache Pulsar, GraphQL and CSRF attacks

Thursday, June 10, 2021

Hi, today we look at a couple of recent API vulnerabilities, API Security in Postman, CSRF and GraphQL, my upcoming live Q&A, and a buyer's The Latest API Security News,

Kotlin Weekly #261

Sunday, August 1, 2021

ISSUE #261 1st of August 2021 Hi Kotliners. Jetpack Compose 1.0.0 is out there, and we have already seen a boom in content just after a few days. Expect more Compose in the near future - and if you

[Sublime + Python Setup] The Ctrl+s "Heisenbug"

Sunday, August 1, 2021

"What the **** is going on?!" I heard Keith yell. Returning from my lunch break and in a helpful mood I grabbed my coffee mug and shuffled over to my coworker's desk. "What's

[PythonistaCafe] Why PythonistaCafe exists

Sunday, August 1, 2021

Hey there, In one of my last emails I talked about how some online communities in the tech space devolve over time and turn into cesspools of negativity. This relates directly to how and why I started

Show HN: – read-only Wikipedia using a 43GB SQLite file — and Hosting SQLite Databases on GitHub Pages

Saturday, July 31, 2021

Issue #481 — Top 20 stories of August 01, 2021 Issue #481 — August 01, 2021 You receive this email because you are subscribed to Hacker News Digest. You can open it in the browser if you prefer. 1 Show

Weekend Reading — Working with real data

Saturday, July 31, 2021

This week we Kanban our job search, change our strategy vision to fix a bug, ride the bike, and mind the duck! Weekend Reading — Working with real data By Assaf Arkin – 31 Jul 2021 – View online → 🪑

Charted | 1.6 Billion Disposable Masks Entered Our Oceans in 2020 😷

Saturday, July 31, 2021

The entire world has relied on disposable face masks to contain the spread of COVID-19, but over a billion of them are now in our oceans. FEATURED STORY 1.6 Billion Disposable Masks Entered Our Oceans

Daily Coding Problem: Problem #481 [Hard]

Saturday, July 31, 2021

Daily Coding Problem Good morning! Here's a solution to yesterday's problem. This is your coding interview problem for today. This problem was asked by Jane Street. Given an arithmetic

Week in Review - The metaverse reversal

Saturday, July 31, 2021

TechCrunch Newsletter TechCrunch logo Week in Review logo Saturday, July 31, 2021 • By Lucas Matney Hello friends, and welcome back to Week in Review! Last week, I talked about the specter of an “eco-

Startups Weekly - Unicorns are ready for a haircut

Saturday, July 31, 2021

TechCrunch Newsletter TechCrunch logo Startups Weekly logo Saturday, July 31, 2021 • By Natasha Mascarenhas The digitization of your haircut may not have been on your 2020 bucket list, but 2021 has an

[Sublime + Python Setup] How to become a happier & more productive Python dev

Saturday, July 31, 2021

Hey there, I really struggled with setting up an effective development environment as a new Python developer. It was difficult to build the right habits and to find a set of tools I enjoyed to use.