‘Serious’ flaw in DevOps utility could allow for exfiltration of data or user credentials
The bug, which was patched earlier this week, affected all versions of Playground.
Playground is a web-based integrated development environment (IDE) that enables developers to create objects, queries, and schemas for GraphQL, a flexible query language that allows web applications to interact with backend data stores.
The vulnerable components of Playground, which included a half-dozen packages, did not sanitize user input, allowing an attacker to embed malicious code in requests such as URL parameters, query parameters, and unsanitized database text strings.
The vulnerability only applied to dynamic components that accepted user input.
“These projects get 500k-750k downloads a week,” Rikki Schulte, lead maintainer of GraphQL Playground told The Daily Swig.
“Most implementations are stable but there turned out to be quite a few public-facing platforms and implementations that had this vulnerability.”
API credentials under threat
In an announcement on the GraphQL Playground GitHub repository, the project developers said: “This is a serious vulnerability that could allow for exfiltration of data or user credentials, or to disrupt systems.
“The biggest threat is probably API credentials. You can see in the examples how easy it is to exploit this,” Schulte said.
Although there’s no evidence that the bug has been exploited in the wild, Shculte confirmed that “it’s not unlikely that attackers were able to use social engineering to access security credentials for years.”
Developers should upgrade to the latest version of Playground, released earlier this week, which has patched the bug.
Meanwhile, as a rule of thumb, developers are advised to use libraries such as XSSPurify and DOMPurify to sanitize untrusted user input and prevent the exploitation of unknown XSS bugs in any library.