Share this article on:
A researcher at Salt Security with a fondness for Lego bricks has found a range of vulnerabilities in the company’s BrickLink trading platform.
Security researcher Shiran Yodev thought looking at Lego’s online presence would be a good way to illustrate the growing number of API-based threats online. While Lego’s main site is far too plain to offer many attack opportunities, Yodev felt BrickLink — an online trading platform where users can set up their own stores — offered a far larger attack surface.
And he was not wrong.
Yodev found it was possible to use the site’s “Find Username” search box to perform cross-site scripting attacks that made it possible to execute JavaScript code on the page. He was then able to extract a user’s session ID from the page’s code.
By combining the two exploits, Yodev was then able to perform a full account takeover — though he noted that the exploit does require some user interaction to complete.
Not content, Yodev then took advantage of the site’s “Wanted List” XML functionality to launch an XML external entity attack. Yodev was eventually able to read files on the site’s web server after recovering its AWS EC2 credentials.
“Often with API vulnerabilities, the most damage arises in combining or cascading attacks. The LEGO case is no different,” Yodev said in a blog post.
Yaniv Balmas, vice president of research, Salt Security, says that increased business use of APIs may offer impressive functionality, but it comes with a cost.
“APIs have become one of the largest and most significant attack vectors to gain access to company systems and user data,” Balmas said when Salt Security’s Salt Labs announced the BrickLink vulnerabilities. “As organisations rapidly scale, many remain unaware of the sheer volume of API security risks and vulnerabilities that exist within their platforms, leaving companies and their valuable data exposed to bad actors.”
Salt Lab reached out to Lego before making the announcement, and while Lego has not confirmed it has fixed the issues — as it is not company policy — the exploits are in fact no longer working.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.