Security flaws could have had LEGO users bricking it

No Comments
Angry Lego man

Research from Salt Labs has highlighted two API security vulnerabilities discovered within BrickLink, a digital resale platform owned by The LEGO Group.

BrickLink is the world's largest online marketplace to buy and sell second-hand LEGO. The API security flaws could have allowed for both large-scale account takeover (ATO) attacks on customers' accounts and server compromise to allow bad actors to take control of accounts and steal personal details.

Salt Labs researchers discovered the vulnerabilities by examining areas of the site that support user input fields. In the 'Find Username' dialog box of the coupon search functionality, researchers found a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user's machine through a crafted link.

There was also a flaw in the platform's 'Upload to Wanted List' page which allowed researchers to execute an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser. Using the XXE injection attack, researchers were able to read files on the web server and execute a server-side request forgery (SSRF) attack.

"Today, nearly all business sectors have increased their usage of APIs to enable new functionality and streamline the connection between consumers and vital data and services," says Yaniv Balmas, VP of research at Salt Security. "As a result, APIs have become one of the largest and most significant attack vectors to gain access to company systems and user data. As organizations rapidly scale, many remain unaware of the sheer volume of API security risks and vulnerabilities that exist within their platforms, leaving companies and their valuable data exposed to bad actors."

On discovering the vulnerabilities, Salt Labs' researchers followed coordinated disclosure practices with LEGO, and all issues were swiftly addressed.

You can read more on the Salt Security blog.

Image credit: AndrewLozovyi/depositphotos.com

Tags: , , ,
No Comments

Comments are closed.

Got News? Contact Us

Recent Headlines

Younger generations embrace the mainframe

Roku introduces a portable projector designed for indoor and outdoor use

‘I didn’t touch anything’ and other ways to annoy your IT team

New AI-powered code intelligence platform speeds up modernization efforts

MiniTool Partition Wizard 13 arrives with smarter data recovery and a clearer high-DPI display -- download it now

Amazon announces Prime Big Deal Days event for October with savings on electronics and holiday gifts

PayPal Links are personalized links for sending and receiving money and cryptocurrency

Most Commented Stories

This updated Windows 11 clone is Linux underneath and makes your old PC run faster -- get it now

17 Comments

Forget Windows 11, Windows 12.2 is the 'next evolution' of Microsoft's OS

17 Comments

As Windows 10 reaches end of life, Windows 11 is LOSING market share

13 Comments

The brilliant Windows 12 is everything Windows 11 isn't -- and the Microsoft OS we deserve

11 Comments

Age verification laws are killing web traffic

9 Comments

Forget Tiny11, Nano11 takes Windows 11 debloating to the next level

9 Comments

Why using a VPN is becoming more important than ever

8 Comments

Microsoft is rolling out Windows 11 25H2

5 Comments

Why Trust Us



At BetaNews.com, we don't just report the news: We live it. Our team of tech-savvy writers is dedicated to bringing you breaking news, in-depth analysis, and trustworthy reviews across the digital landscape.

BetaNews, your source for breaking tech news, reviews, and in-depth reporting since 1998.

© 1998-2025 BetaNews, Inc. All Rights Reserved. About Us - Privacy Policy - Cookie Policy - Sitemap.