Application programming interface (API) security vulnerabilities have been discovered in a LEGO resale platform owned by LEGO® Group, which could have put sensitive customer information at risk.
An investigation by Salt Security’s research team, Salt Labs, found two API security flaws within BrickLink, an online marketplace to buy and sell LEGO parts, Minifigures and sets, which has over a million members.
The researchers said the flaws could have enabled threat actors to perform large-scale account takeover (ATO) attacks on customer accounts, access personally identifiable information (PII) user data stored by the platform and gain access to internal production data, potentially leading to a full compromise of BrickLink’s internal servers.
Speaking to Infosecurity Magazine during Black Hat Europe 2022, Yaniv Balmas, VP of research, Salt Security, explained: “What we found there puts every user of that system at risk – we could potentially access all the information stored of the user, including personal data and credit card details.”
The issues have been remediated after Salt Labs followed coordinated disclosure practices with LEGO.
The first security issue was discovered in the ‘Find Username’ dialog box of the coupon search functionality. Here, the researchers uncovered a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user's machine through a crafted link. The testers then chained the XSS vulnerability with a Session ID exposed on a different page, allowing them to hijack the session and achieve ATO. This approach could be used for a full ATO or to steal sensitive user data, according to Salt Labs.
The second vulnerability was located within BrickLink’s ‘Upload to Wanted List,’ in which the researchers executed an XML External Entity (XXE) injection attack. This occurs where an XML input containing a reference to an external entity is processed by a weakly configured XML parser.
This tactic let them read files on the web server and execute a server-side request forgery (SSRF) attack, which could be used for various nefarious means, including stealing AWS EC2 tokens of the server.
Balmas, who heads Salt Labs’ offensive security team, emphasized that all API vulnerabilities are unique and specific to the organization in question. “They are zero days by definition,” he commented.
The use of APIs, which work as the backend framework for mobile and web applications, have increased exponentially in the past five years, with an estimated 80% of all internet traffic routed through these interfaces, Balmas noted.
This is creating significant security issues, with Salt Security finding a 117% increase in API attack traffic over the past year.
Balmas said: “APIs have become one of the largest and most significant attack vectors to gain access to company systems and user data. As organizations rapidly scale, many remain unaware of the sheer volume of API security risks and vulnerabilities that exist within their platforms, leaving companies and their valuable data exposed to bad actors.”
He believes the security problems are primarily caused by an overfocus on the rapid development of APIs for functionality, leading to security being neglected. As a result, APIs are increasingly being viewed as a soft target by cyber-criminals.
“When you go into production so quickly, it means there are lots of pieces of code that are still unchecked,” outlined Balmas.
He stressed that it is important for organizations to ensure security is built in to APIs at the development stage, which requires more testing and collaboration with security teams. Additionally, there needs to be more awareness of the common “categories” of vulnerabilities to help identify and prevent them occurring. “When you know these categories it can help you to prevent them in the first place,” added Balmas.
In November 2022, research by Akamai found that the volume of web application and API attacks detected over the past 12 months surged by 3.5 times year-on-year in the financial services sector.