CIO Influence
CIO Influence News Security

Salt Security Uncovers API Security Flaws Within The LEGO Group Online Service Platform, Issues Remediated

Salt Security Uncovers API Security Flaws Within The LEGO Group Online Service Platform, Issues Remediated

Salt Security, the leading API security company, released new threat research from Salt Labs highlighting two API security vulnerabilities discovered within BrickLink, a digital resale platform owned by The LEGO Group. With more than one million members, Bricklink is the world’s largest online marketplace to buy and sell second-hand LEGO. The API security flaws could have allowed for both large-scale account takeover (ATO) attacks on customers’ accounts and server compromise, enabling bad actors to:

  • Manipulate platform users to gain complete control over their accounts.
  • Leak personal identifiable information (PII) and other sensitive user data stored internally by the platform.
  • Gain access to internal production data, which could have led to a full compromise of the company’s internal servers.

Salt Labs, the research arm of Salt Security and a public forum for API security education, discovered the API security gaps and provided the vulnerability analysis.

CIO INFLUENCE: Ericsson presents a Green Financing Framework

Salt Labs researchers discovered both vulnerabilities by examining areas of the site that support user input fields. In the “Find Username” dialog box of the coupon search functionality, researchers found a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link. The team was able to chain the XSS vulnerability with a Session ID exposed on a different page. By combining those two vulnerabilities, the researchers could hijack the session and achieve account takeover (ATO). Bad actors could have used these tactics for full ATO or to steal sensitive user data.

The second vulnerability was found within the platform’s “Upload to Wanted List” page. This endpoint allows users to uploadlists of wanted LEGO parts and sets in XML format. Using this feature, Salt Labs researchers were able to execute an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser. By leveraging the XXE injection attack, researchers were able to read files on the web server and execute a server-side request forgery (SSRF) attack that could be abused in many ways – for example, to steal AWS EC2 tokens of the server.

Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with LEGO, and all issues were remediated swiftly.

CIO INFLUENCE: Apprentice Now Joins Amazon Web Services Training Partner Program to Deliver AWS Cloud Skills Training

“Today, nearly all business sectors have increased their usage of APIs to enable new functionality and streamline the connection between consumers and vital data and services,” said Yaniv Balmas, VP of Research, Salt Security. “As a result, APIs have become one of the largest and most significant attack vectors to gain access to company systems and user data. As organizations rapidly scale, many remain unaware of the sheer volume of API security risks and vulnerabilities that exist within their platforms, leaving companies and their valuable data exposed to bad actors.”

According to the Salt Security State of API Security Report, Q3 2022, Salt customers experienced a 117% increase in API attack traffic while their overall API traffic grew 168%. The Salt Security API Protection Platform enables companies to identify risks and vulnerabilities in APIs before they are exploited by attackers, including those listed in the OWASP API Top 10. The platform protects APIs across their full lifecycle – build, deploy and runtime phases – utilizing cloud-scale big data combined with AI and ML to baseline millions of users and APIs. By delivering context-based insights across the entire API lifecycle, Salt enables users to detect the reconnaissance activity of bad actors and block them before they can reach their objective. The exploits the Salt Labs team performed would have immediately triggered the Salt platform to highlight the attack.

CIO INFLUENCE: PlainID Launches The PlainID Technology Network to Enable Identity Aware Security for Advanced Access Control

[To share your insights with us, please write to sghosh@martechseries.com]

Related posts

Wrike Enters Agreement With Operator of the World’s Largest Ecosystem of Cloud Solutions, Ingram Micro Cloud

DC BLOX Expands Birmingham Data Center to Empower High-Performance Computing

Business Wire

DOBOT Unveils Second-Generation M1 Pro Collaborative Robot at iREX 2022 in Tokyo