API Vulnerabilities Discovered in LEGO Marketplace

Software programming interface (API) security vulnerabilities have been discovered in a LEGO resale system owned by LEGO® Team, which could have put sensitive purchaser details at risk.

An investigation by Salt Security’s investigation crew, Slat Labs, located two API security flaws in BrickLink, an online market to obtain and provide LEGO areas, Minifigures and sets, which has around a million associates.

The scientists said the flaws could have enabled danger actors to accomplish significant-scale account takeover (ATO) attacks on shopper accounts, obtain personally identifiable information (PII) user knowledge stored by the platform and acquire accessibility to internal generation facts, probably main to a full compromise of BrickLink’s inside servers.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

Speaking to Infosecurity Journal throughout Black Hat Europe 2022, Yaniv Balmas, VP of study, Salt Security, explained: “What we located there puts every user of that procedure at risk – we could potentially accessibility all the information stored of the consumer, such as own info and credit history card information.”

The issues have been remediated following Salt Labs adopted coordinated disclosure techniques with LEGO.

The to start with security issue was uncovered in the ‘Find Username’ dialog box of the coupon research features. Here, the researchers uncovered a cross-web site scripting (XSS) vulnerability that enabled them to inject and execute code on a target conclusion user’s device via a crafted hyperlink. The testers then chained the XSS vulnerability with a Session ID exposed on a diverse web page, permitting them to hijack the session and obtain ATO. This technique could be used for a full ATO or to steal sensitive user facts, according to Salt Labs.

The second vulnerability was located within just BrickLink’s ‘Upload to Needed Record,’ in which the researchers executed an XML External Entity (XXE) injection attack. This happens in which an XML input containing a reference to an external entity is processed by a weakly configured XML parser.

This tactic let them read files on the web server and execute a server-facet ask for forgery (SSRF) attack, which could be utilized for several nefarious usually means, which include thieving AWS EC2 tokens of the server.

Balmas, who heads Salt Labs’ offensive security staff, emphasized that all API vulnerabilities are one of a kind and specific to the organization in dilemma. “They are zero times by definition,” he commented.

The use of APIs, which perform as the backend framework for cellular and web applications, have improved exponentially in the past 5 decades, with an approximated 80% of all internet site visitors routed as a result of these interfaces, Balmas mentioned.

This is generating important security issues, with Salt Security obtaining a 117% improve in API attack website traffic above the previous 12 months.

Balmas said: “APIs have become a person of the premier and most important attack vectors to acquire entry to corporation devices and user details. As organizations rapidly scale, lots of keep on being unaware of the sheer quantity of API security threats and vulnerabilities that exist within just their platforms, leaving providers and their valuable details uncovered to undesirable actors.”      

He believes the security challenges are primarily triggered by an overfocus on the fast growth of APIs for operation, primary to security currently being neglected. As a result, APIs are more and more staying considered as a soft target by cyber-criminals.

“When you go into manufacturing so swiftly, it indicates there are lots of items of code that are continue to unchecked,” outlined Balmas.

He pressured that it is crucial for companies to ensure security is developed in to APIs at the enhancement phase, which needs more screening and collaboration with security groups. Additionally, there demands to be more awareness of the prevalent “categories” of vulnerabilities to help detect and avoid them occurring. “When you know these classes it can aid you to avert them in the initial area,” included Balmas.         

In November 2022, investigate by Akamai discovered that the volume of web software and API attacks detected around the previous 12 months surged by 3.5 moments 12 months-on-12 months in the money services sector.