Bogdan Tiron
Bogdan Tiron is a seasoned security consultant with over 10 years of experience specializing in application security. He has a proven track record of enhancing security measures for leading organizations, including bet365, JPMorgan Bank, GFK, HSBC, Lloyds Bank, and WorldRemit. Throughout his career, Bogdan has held various roles, including application security consultant, pentester, security architect, and DevSecOps specialist. Four years ago, recognizing a gap in quality within the pentesting industry, he co-founded FORTBRIDGE, a cybersecurity consulting company that offers pentesting, phishing, and red-teaming services to clients seeking to enhance their security posture. Passionate about staying ahead of emerging threats, Bogdan is dedicated to fostering a culture of security within organizations and empowering teams to integrate security practices seamlessly into their workflows.
Session
This talk explores the importance of implementing robust access controls in GraphQL and REST APIs and the severe consequences when these controls are not properly enforced. GraphQL, a flexible data query language, allows clients to request exactly the data they need, but without proper access control mechanisms, sensitive data can be easily exposed. Using the Feeld mobile dating app as a case study, we will dive into a critical security review of how the lack of access controls in GraphQL and REST endpoints led to the exposure of users' personal data, including sensitive photos, videos and private messages. This session will highlight common access control vulnerabilities in GraphQL and REST implementations , real-world examples of security lapses, their impact and remediation.