• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
Cyber Security News

API Vulnerabilities Discovered in LEGO Marketplace

You are here: Home / General Cyber Security News / API Vulnerabilities Discovered in LEGO Marketplace
December 19, 2022

Software programming interface (API) security vulnerabilities have been discovered in a LEGO resale system owned by LEGO® Team, which could have put sensitive purchaser details at risk.

An investigation by Salt Security’s investigation crew, Slat Labs, located two API security flaws in BrickLink, an online market to obtain and provide LEGO areas, Minifigures and sets, which has around a million associates.

The scientists said the flaws could have enabled danger actors to accomplish significant-scale account takeover (ATO) attacks on shopper accounts, obtain personally identifiable information (PII) user knowledge stored by the platform and acquire accessibility to internal generation facts, probably main to a full compromise of BrickLink’s inside servers.

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


Speaking to Infosecurity Journal throughout Black Hat Europe 2022, Yaniv Balmas, VP of study, Salt Security, explained: “What we located there puts every user of that procedure at risk – we could potentially accessibility all the information stored of the consumer, such as own info and credit history card information.”

The issues have been remediated following Salt Labs adopted coordinated disclosure techniques with LEGO.

The to start with security issue was uncovered in the ‘Find Username’ dialog box of the coupon research features. Here, the researchers uncovered a cross-web site scripting (XSS) vulnerability that enabled them to inject and execute code on a target conclusion user’s device via a crafted hyperlink. The testers then chained the XSS vulnerability with a Session ID exposed on a diverse web page, permitting them to hijack the session and obtain ATO. This technique could be used for a full ATO or to steal sensitive user facts, according to Salt Labs.

The second vulnerability was located within just BrickLink’s ‘Upload to Needed Record,’ in which the researchers executed an XML External Entity (XXE) injection attack. This happens in which an XML input containing a reference to an external entity is processed by a weakly configured XML parser.

This tactic let them read files on the web server and execute a server-facet ask for forgery (SSRF) attack, which could be utilized for several nefarious usually means, which include thieving AWS EC2 tokens of the server.

Balmas, who heads Salt Labs’ offensive security staff, emphasized that all API vulnerabilities are one of a kind and specific to the organization in dilemma. “They are zero times by definition,” he commented.

The use of APIs, which perform as the backend framework for cellular and web applications, have improved exponentially in the past 5 decades, with an approximated 80% of all internet site visitors routed as a result of these interfaces, Balmas mentioned.

This is generating important security issues, with Salt Security obtaining a 117% improve in API attack website traffic above the previous 12 months.

Balmas said: “APIs have become a person of the premier and most important attack vectors to acquire entry to corporation devices and user details. As organizations rapidly scale, lots of keep on being unaware of the sheer quantity of API security threats and vulnerabilities that exist within just their platforms, leaving providers and their valuable details uncovered to undesirable actors.”      

He believes the security challenges are primarily triggered by an overfocus on the fast growth of APIs for operation, primary to security currently being neglected. As a result, APIs are more and more staying considered as a soft target by cyber-criminals.

“When you go into manufacturing so swiftly, it indicates there are lots of items of code that are continue to unchecked,” outlined Balmas.

He pressured that it is crucial for companies to ensure security is developed in to APIs at the enhancement phase, which needs more screening and collaboration with security groups. Additionally, there demands to be more awareness of the prevalent “categories” of vulnerabilities to help detect and avoid them occurring. “When you know these classes it can aid you to avert them in the initial area,” included Balmas.         

In November 2022, investigate by Akamai discovered that the volume of web software and API attacks detected around the previous 12 months surged by 3.5 moments 12 months-on-12 months in the money services sector.


Some components of this report are sourced from:
www.infosecurity-journal.com

Previous Post: «facebook cracks down on spyware vendors from u.s., china, russia, Facebook Cracks Down on Spyware Vendors from U.S., China, Russia, Israel, and India
Next Post: New Agenda Ransomware Variant, Written in Rust, Aiming at Critical Infrastructure new agenda ransomware variant, written in rust, aiming at critical»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • New Variant of Banking Trojan BBTok Targets Over 40 Latin American Banks
  • How to Interpret the 2023 MITRE ATT&CK Evaluation Results
  • Iranian Nation-State Actor OilRig Targets Israeli Organizations
  • High-Severity Flaws Uncovered in Atlassian Products and ISC BIND Server
  • Apple Rushes to Patch 3 New Zero-Day Flaws: iOS, macOS, Safari, and More Vulnerable
  • Mysterious ‘Sandman’ Threat Actor Targets Telecom Providers Across Three Continents
  • Researchers Raise Red Flag on P2PInfect Malware with 600x Activity Surge
  • The Rise of the Malicious App
  • China Accuses U.S. of Decade-Long Cyber Espionage Campaign Against Huawei Servers
  • Cyber Group ‘Gold Melody’ Selling Compromised Access to Ransomware Attackers

Copyright © TheCyberSecurity.News, All Rights Reserved.