When most people think of the Danish company Lego A/S, it would be of toy bricks and childhood imagination. But Lego has moved into the digital age, offering a service called BrickLink, and unfortunately it has been found to be not very secure.
A new report from application programming interface security startup Salt Security Inc. today highlights two API security vulnerabilities in BrickLink, the world’s largest online marketplace for buying and selling second-hand Legos. The API security flaws could have allowed for large-scale account takeover attacks on customers’ accounts and server compromise.
The API flows could have enabled bad actors to manipulate platform users to gain complete control over their accounts and gain access to personally identifiable information and other sensitive user data stored internally by the platform. In addition, an attacker could have gained access to internal production data, which could have led to a full compromise of the company’s internal servers.
The vulnerabilities were discovered by examining areas of the site that support user input fields. In the “Find Username” dialog box of the coupon search functionality, researchers found a cross-site scripting vulnerability that enabled them to inject and execute code on an end user’s machine through a crafted link. The Salt Security team was able to chain the XSS vulnerability with a Session ID exposed on a different page, hijack the session and achieve account takeover.
The second vulnerability was found on the “Upload to Wanted List” page. The endpoint allows users to upload a list of Lego parts and sets in XML format. Using this feature, the researchers could perform an XML External Entity injection attack.
By leveraging the XXE injection attack, researchers were able to read files on the web server and execute a server-side request forgery attack. It could be abused in many ways, such as stealing Amazon Web Services Inc. EC2 tokens off the server.
Salt Labs’ researchers followed disclosure practices and Lego remediated all issues swiftly after being informed of them.
“Today, nearly all business sectors have increased their usage of APIs to enable new functionality and streamline the connection between consumers and vital data and services,” explained Yaniv Balmas, vice president of research at Salt Security. “As a result, APIs have become one of the largest and most significant attack vectors to gain access to company systems and user data.”
Balmas added that “as organizations rapidly scale, many remain unaware of the sheer volume of API security risks and vulnerabilities that exist within their platforms, leaving companies and their valuable data exposed to bad actors.”