Salt Labs, the research arm of API specialist Salt Security, has revealed it identified a pair of application programming interface (API) security vulnerabilities in Lego’s BrickLink digital resale platform. The vulnerabilities have now been fixed.
Boasting over a million members, BrickLink is currently experiencing its busy season as shoppers scramble to before second-hand Lego sets before Christmas. The site is the world’s largest platform for buying and selling second-hand Lego sets and operates in a similar fashion to e-commerce giant eBay.
Had these vulnerabilities been exploited, they could have allowed for both large-scale account takeover (ATO) attacks on customers’ accounts and server compromise. This would have enabled hackers to:
- Manipulate platform users to gain complete control over their accounts.
- Leak personal identifiable information (PII) and other sensitive user data stored internally by the platform.
- Gain access to internal production data, which could have led to a full compromise of the company’s internal servers.
Both vulnerabilities were found by examining areas of the site that support user input fields. The first was discovered when researchers found a cross-site scripting (XSS) vulnerability in the “Find Username” dialogue box of the coupon search functionality, enabling them to inject and execute code on a victim end user’s machine through a crafted link. The XXS vulnerability was then chained with a Session ID exposed on a different page. By doing this, researchers were able to hijack the session, achieving ATO. Had this been uncovered by bad actors, it could have resulted in total ATO or the theft of sensitive data.
The second vulnerability was identified in the site’s “Upload to Wanted List” page – an endpoint that allows users to upload wish lists of desired Lego parts and sets in XML format. By executing an XML External Entity (XXE) injection attack, researchers were able to read files on the web server and execute a server-side request forgery (SSRF) attack that could be abuse in any number of ways – AWS EC2 tokens, for example.
Fortunately, the vulnerabilities were discovered before cybercriminals could exploit them.
“Today, nearly all business sectors have increased their usage of APIs to enable new functionality and streamline the connection between consumers and vital data and services,” said Yaniv Balmas, VP of Research, Salt Security. “As a result, APIs have become one of the largest and most significant attack vectors to gain access to company systems and user data. As organizations rapidly scale, many remain unaware of the sheer volume of API security risks and vulnerabilities that exist within their platforms, leaving companies and their valuable data exposed to bad actors.”