Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Friday, 3 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Lego’s BrickLink service narrowly avoids catastrophic API exploit

Salt Labs researchers find vulnerabilities could have enabled attackers to compromise LEGO’s internal servers and exfiltrate global users’ private account data

by Guru Writer
December 15, 2022
in Research
Lego’s BrickLink service narrowly avoids catastrophic API exploit
Share on FacebookShare on Twitter

Salt Labs, the research arm of API specialist Salt Security, has revealed it identified a pair of application programming interface (API) security vulnerabilities in Lego’s BrickLink digital resale platform. The vulnerabilities have now been fixed.

Boasting over a million members, BrickLink is currently experiencing its busy season as shoppers scramble to before second-hand Lego sets before Christmas. The site is the world’s largest platform for buying and selling second-hand Lego sets and operates in a similar fashion to e-commerce giant eBay.

Had these vulnerabilities been exploited, they could have allowed for both large-scale account takeover (ATO) attacks on customers’ accounts and server compromise. This would have enabled hackers to:

  •     Manipulate platform users to gain complete control over their accounts.
  •     Leak personal identifiable information (PII) and other sensitive user data stored internally by the platform.
  •     Gain access to internal production data, which could have led to a full compromise of the company’s internal servers.

Both vulnerabilities were found by examining areas of the site that support user input fields. The first  was discovered when researchers found a cross-site scripting (XSS) vulnerability in the “Find Username” dialogue box of the coupon search functionality, enabling them to inject and execute code on a victim end user’s machine through a crafted link. The XXS vulnerability was then chained with a Session ID exposed on a different page. By doing this, researchers were able to hijack the session, achieving ATO. Had this been uncovered by bad actors, it could have resulted in total ATO or the theft of sensitive data.

The second vulnerability was identified in the site’s “Upload to Wanted List” page – an endpoint that allows users to upload wish lists of desired Lego parts and sets in XML format. By executing an XML External Entity (XXE) injection attack, researchers were able to read files on the web server and execute a server-side request forgery (SSRF) attack that could be abuse in any number of ways – AWS EC2 tokens, for example.

Fortunately, the vulnerabilities were discovered before cybercriminals could exploit them.

“Today, nearly all business sectors have increased their usage of APIs to enable new functionality and streamline the connection between consumers and vital data and services,” said Yaniv Balmas, VP of Research, Salt Security. “As a result, APIs have become one of the largest and most significant attack vectors to gain access to company systems and user data. As organizations rapidly scale, many remain unaware of the sheer volume of API security risks and vulnerabilities that exist within their platforms, leaving companies and their valuable data exposed to bad actors.”      

 

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

#MIWIC2022: Camilla Currin, Trend Micro

Next Post

The state of Identity Security: Widespread attacks, wasted investment and identity sprawl

Recent News

london-skyline-canary-wharf

Ransomware attack halts London trading

February 3, 2023
Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

Ransomware conversations: Why the CFO is pivotal to discussing and preparing for risk

February 2, 2023
JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information