"Unsecure Bricks: API Vulnerabilities Found in Lego BrickLink Marketplace"
Most people associate Lego with toy bricks and childhood imagination, but the Lego company has now entered the digital age by offering a service called BrickLink, which has been discovered to be insecure. A new report from Salt Security reveals the discovery of Application Programming Interface (API) security vulnerabilities in BrickLink, an online marketplace for buying and selling used Legos. The API security flaws can lead to a large-scale takeover of customers' accounts and server compromise. The API flows could have allowed threat actors to manipulate platform users and gain access to Personally Identifiable Information (PII) stored internally by the platform. Furthermore, an attacker could have gained access to internal production data, leading to a complete compromise of the company's internal servers. The flaws were discovered by inspecting areas of the website that support user input fields. Researchers discovered a Cross-Site Scripting (XSS) vulnerability in the coupon search functionality's "Find Username" dialog box, which allowed them to inject and execute code on an end user's machine via a crafted link. The Salt Security team chained the XSS vulnerability with a Session ID exposed on another page, hijacked the session, and took over the account. The second flaw was discovered on the "Upload to Wanted List" page. The endpoint allows users to upload an XML list of Lego parts and sets. The researchers used this feature to launch an XML External Entity (XXE) injection attack. Researchers were able to read files on the web server and execute a Server-Side Request Forgery (SSRF) attack by leveraging the XXE injection attack. It has the potential to be abused in a variety of ways, including stealing Amazon Elastic Compute Cloud (EC2) tokens from the server. This article continues to discuss the potential exploitation and impact of API vulnerabilities found in the Lego BrickLink marketplace.
SiliconANGLE reports "Unsecure Bricks: API Vulnerabilities Found in Lego BrickLink Marketplace"