Security flaws could have had LEGO users bricking it

No Comments

Research from Salt Labs has highlighted two API security vulnerabilities discovered within BrickLink, a digital resale platform owned by The LEGO Group.

BrickLink is the world's largest online marketplace to buy and sell second-hand LEGO. The API security flaws could have allowed for both large-scale account takeover (ATO) attacks on customers' accounts and server compromise to allow bad actors to take control of accounts and steal personal details.

Salt Labs researchers discovered the vulnerabilities by examining areas of the site that support user input fields. In the 'Find Username' dialog box of the coupon search functionality, researchers found a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user's machine through a crafted link.

There was also a flaw in the platform's 'Upload to Wanted List' page which allowed researchers to execute an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser. Using the XXE injection attack, researchers were able to read files on the web server and execute a server-side request forgery (SSRF) attack.

"Today, nearly all business sectors have increased their usage of APIs to enable new functionality and streamline the connection between consumers and vital data and services," says Yaniv Balmas, VP of research at Salt Security. "As a result, APIs have become one of the largest and most significant attack vectors to gain access to company systems and user data. As organizations rapidly scale, many remain unaware of the sheer volume of API security risks and vulnerabilities that exist within their platforms, leaving companies and their valuable data exposed to bad actors."

On discovering the vulnerabilities, Salt Labs' researchers followed coordinated disclosure practices with LEGO, and all issues were swiftly addressed.

You can read more on the Salt Security blog.

Image credit: AndrewLozovyi/depositphotos.com

No Comments

Comments are closed.

Got News? Contact Us

Recent Headlines

Linux Daddy Linus Torvalds releases kernel 6.9

Windows 10 21H2: end of support for Enterprise and Education

Microsoft powers up Windows Terminal with session restoration and experimental scratchpad features

Microsoft makes the Windows 11 Start Menu expandable with Start Menu Companions

The critical intersection between AI and identity management

Unmasking the impact of shadow AI -- and what businesses can do about it

Best Windows apps this week

Most Commented Stories

Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.4.1

80 Comments

The stunning Windows 13 -- yes, 13! -- is the Microsoft operating system we want

25 Comments

Microsoft 'improves' Windows 11 by bringing ads to the Start menu in the US

21 Comments

Switch to Linux Lite 7.0 from Windows 11

19 Comments

Microsoft releases preview version of Office 2024 for Windows and macOS -- download it now!

17 Comments

Linux fan develops a fricking amazing tool to remove all ads from Windows 11

17 Comments

Windows 11 is losing market share to Windows 10

9 Comments

Microsoft issues reminder about end of support for Office 2016 and Office 2019

7 Comments

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.