Lego fixes dangerous API vulnerability in BrickLink service

The Lego Group has moved swiftly to fix a pair of application programming interface (API) security vulnerabilities that existed in its BrickLink digital resale platform, after they were identified by Salt Labs, the research arm of API specialist Salt Security.

With over a million members, BrickLink is the world’s largest forum for buying and selling second-hand Lego sets. Substantial sums of money change hands through the eBay style service, with desirable kits, such as the Hogwarts Express from Lego’s Harry Potter series often selling for close to their original retail price. The holiday period is a particularly busy time for the service, particularly when the time comes to pass on duplicate presents.

The two vulnerabilities were uncovered by Salt’s researchers when they examined parts of the BrickLink site that support user input fields. Specifically, the “Find Username” dialogue box of BrickLink’s coupon search vulnerability contained a cross-site scripting (XSS) vulnerability – used by malicious actors to inject and execute code on a victim’s machine if they follow a specially crafted link.

The research team chained this vulnerability Session ID exposed on a different page to hijack the victim’s session and take over their account. Such tactics could have been used for full account takeover, and to steal user data.

The second vulnerability existed in BrickLink’s “Upload to Wanted List” page – which lets users add Lego sets they have their eye on to a watchlist. Salt’s team were able to execute what is known as an Extensible Markup Language (XML) External Entity (XXE) injection attack, in which an XML input that contains a reference to an external entity is processed by a poorly configured XML parser.

In this way, they found they could read files on the BrickLink web server, and execute another, server-side forgery (SSRF) attack. Such attacks can be abused in a number of ways, for example to steal AWS EC2 tokens. In layman’s terms, a threat actor could have taken over Lego’s internal servers.

“Today, nearly all business sectors have increased their usage of APIs to enable new functionality and streamline the connection between consumers and vital data and services,” said Yaniv Balmas, vice-president of research at Salt Security.

“As a result, APIs have become one of the largest and most significant attack vectors to gain access to company systems and user data. As organisations rapidly scale, many remain unaware of the sheer volume of API security risks and vulnerabilities that exist within their platforms, leaving companies and their valuable data exposed to bad actors.”

Indeed, in a recent report on the topic, Salt found that its customers had experienced a 117% increase in API attack traffic, while their overall API traffic grew by 168%. A total of 94% of respondents to the underlying survey said they had experienced security problems in production APIs, with 54% having to delay an application roll-out because of such concerns.

A majority of 61% sid they lacked any API security strategy, or had only a basic plan, and 82% were worried that traditional tools are not very effective in preventing API attacks. Salt itself advocates for an approach that incorporates machine learning (ML) and artificial intelligence (AI).

The growth trend has seen an increasing number of high-profile incidents linked to API traffic this year, including the recent attack on Australian telco Optus, which saw names, addresses, dates of birth, phone numbers, email addresses, and driving licence and passport data relating to 11 million customers stolen and held to ransom – an incident so serious in its scope that the Australian government is now planning to amend its telecoms security regulations.

The Optus breach began via an unprotected and publicly exposed API that anyone who happened to stumble upon it could have connected to without credentials.

Lego’s story, however, has a happier ending. In this case, Salt’s research team disclosed the vulnerabilities through a coordinated disclosure, and the issues have now been remediated and should pose no further threat to hordes of excited builders over the holidays.

Leave a Reply

Your email address will not be published. Required fields are marked *