Salt Labs researchers find vulnerabilities could have enabled attackers to compromise LEGO’s internal servers and exfiltrate global users’ private account data
PALO ALTO, Calif. – December 15, 2022 – Salt Security, the leading API security company, today released new threat research from Salt Labs highlighting two API security vulnerabilities discovered within BrickLink, a digital resale platform owned by The LEGO® Group. With more than one million members, Bricklink is the world's largest online marketplace to buy and sell second-hand LEGO. The API security flaws could have allowed for both large-scale account takeover (ATO) attacks on customers’ accounts and server compromise, enabling bad actors to:
- Manipulate platform users to gain complete control over their accounts.
- Leak personal identifiable information (PII) and other sensitive user data stored internally by the platform.
- Gain access to internal production data, which could have led to a full compromise of the company’s internal servers.
Salt Labs, the research arm of Salt Security and a public forum for API security education, discovered the API security gaps and provided the vulnerability analysis.
Salt Labs researchers discovered both vulnerabilities by examining areas of the site that support user input fields. In the “Find Username” dialog box of the coupon search functionality, researchers found a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link. The team was able to chain the XSS vulnerability with a Session ID exposed on a different page. By combining those two vulnerabilities, the researchers could hijack the session and achieve account takeover (ATO). Bad actors could have used these tactics for full ATO or to steal sensitive user data.
The second vulnerability was found within the platform’s “Upload to Wanted List” page. This endpoint allows users to uploadlists of wanted LEGO parts and sets in XML format. Using this feature, Salt Labs researchers were able to execute an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser. By leveraging the XXE injection attack, researchers were able to read files on the web server and execute a server-side request forgery (SSRF) attack that could be abused in many ways – for example, to steal AWS EC2 tokens of the server.
Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with LEGO, and all issues were remediated swiftly.
“Today, nearly all business sectors have increased their usage of APIs to enable new functionality and streamline the connection between consumers and vital data and services,” said Yaniv Balmas, VP of Research, Salt Security. “As a result, APIs have become one of the largest and most significant attack vectors to gain access to company systems and user data. As organizations rapidly scale, many remain unaware of the sheer volume of API security risks and vulnerabilities that exist within their platforms, leaving companies and their valuable data exposed to bad actors.”
According to the Salt Security State of API Security Report, Q3 2022, Salt customers experienced a 117% increase in API attack traffic while their overall API traffic grew 168%. The Salt Security API Protection Platform enables companies to identify risks and vulnerabilities in APIs before they are exploited by attackers, including those listed in the OWASP API Top 10. The platform protects APIs across their full lifecycle – build, deploy and runtime phases – utilizing cloud-scale big data combined with AI and ML to baseline millions of users and APIs. By delivering context-based insights across the entire API lifecycle, Salt enables users to detect the reconnaissance activity of bad actors and block them before they can reach their objective. The exploits the Salt Labs team performed would have immediately triggered the Salt platform to highlight the attack.
To learn more about Salt Security or to request a demo, please visit https://content.salt.security/demo.html.