Security flaws could have had LEGO users bricking it
Research from Salt Labs has highlighted two API security vulnerabilities discovered within BrickLink, a digital resale platform owned by The LEGO Group.
BrickLink is the world's largest online marketplace to buy and sell second-hand LEGO. The API security flaws could have allowed for both large-scale account takeover (ATO) attacks on customers' accounts and server compromise to allow bad actors to take control of accounts and steal personal details.
Salt Labs researchers discovered the vulnerabilities by examining areas of the site that support user input fields. In the 'Find Username' dialog box of the coupon search functionality, researchers found a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user's machine through a crafted link.
There was also a flaw in the platform's 'Upload to Wanted List' page which allowed researchers to execute an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser. Using the XXE injection attack, researchers were able to read files on the web server and execute a server-side request forgery (SSRF) attack.
"Today, nearly all business sectors have increased their usage of APIs to enable new functionality and streamline the connection between consumers and vital data and services," says Yaniv Balmas, VP of research at Salt Security. "As a result, APIs have become one of the largest and most significant attack vectors to gain access to company systems and user data. As organizations rapidly scale, many remain unaware of the sheer volume of API security risks and vulnerabilities that exist within their platforms, leaving companies and their valuable data exposed to bad actors."
On discovering the vulnerabilities, Salt Labs' researchers followed coordinated disclosure practices with LEGO, and all issues were swiftly addressed.
You can read more on the Salt Security blog.
Image credit: AndrewLozovyi/depositphotos.com