CYBER 101

  • Alerts
  • Blog
  • Cyber Briefing
  • CyberDecoded
  • CyberReview
  • CyberStory
  • CyberTips
  • Domains
  • FAQ
  • Incidents
  • Tutorials

Subscribe to our newsletter

FOLLOW US

No Result
View All Result
  • Login
  • Register
  • Cyber Citizens
  • Cyber Professionals
  • Institutions
CyberMaterial
  • Jobs
  • Vendors
Get Help
  • Cyber Citizens
  • Cyber Professionals
  • Institutions
CyberMaterial
No Result
View All Result
  • Jobs
  • Vendors
Get Help
CyberMaterial
Home Alerts

Lego fixes dangerous API vulnerability in BrickLink service

December 16, 2022
Reading Time: 2 mins read
in Alerts

 

The Lego Group has moved swiftly to fix a pair of application programming interface (API) security vulnerabilities that existed in its BrickLink digital resale platform, after they were identified by Salt Labs, the research arm of API specialist Salt Security.

With over a million members, BrickLink is the world’s largest forum for buying and selling second-hand Lego sets. Substantial sums of money change hands through the eBay style service, with desirable kits, such as the Hogwarts Express from Lego’s Harry Potter series often selling for close to their original retail price. The holiday period is a particularly busy time for the service, particularly when the time comes to pass on duplicate presents.

The two vulnerabilities were uncovered by Salt’s researchers when they examined parts of the BrickLink site that support user input fields. Specifically, the “Find Username” dialogue box of BrickLink’s coupon search vulnerability contained a cross-site scripting (XSS) vulnerability – used by malicious actors to inject and execute code on a victim’s machine if they follow a specially crafted link.

The research team chained this vulnerability Session ID exposed on a different page to hijack the victim’s session and take over their account. Such tactics could have been used for full account takeover, and to steal user data.

The second vulnerability existed in BrickLink’s “Upload to Wanted List” page – which lets users add Lego sets they have their eye on to a watchlist. Salt’s team were able to execute what is known as an Extensible Markup Language (XML) External Entity (XXE) injection attack, in which an XML input that contains a reference to an external entity is processed by a poorly configured XML parser.

READ FULL ARTICLE

Tags: AlertsAlerts 2022API SecurityApplication programming interfaceBrickLinkcross site scripting (XSS)December 2022Lego GroupSalt SecurityVulnerabilities
0
VIEWS
ADVERTISEMENT

Related Posts

Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping

Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping

February 6, 2023
FormBook Malware Spreads via Malvertising Using MalVirt Loader

FormBook Malware Spreads via Malvertising Using MalVirt Loader

February 6, 2023
OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability

OpenSSH Releases Patch for New Pre-Auth Double Free Vulnerability

February 6, 2023
Dell security advisory (AV23-071)

Dell security advisory (AV23-071)

February 6, 2023

More Articles

Alerts

Mozilla security advisory (AV22-526)

September 20, 2022

“A couple years ago, the prime distribution channel for spyware…”

May 7, 2021
Definition

Cybersquatting

January 2, 2023
Tool

Active Scan++

October 10, 2020

Security through data

Cybersecurity Domains

  • API Security
  • Business Continuity
  • Career Development
  • Compliance
  • Cryptography
  • HSM
  • KPIs / KRIs
  • Penetration Testing
  • Shift Left
  • Vulnerability Scan

Emerging Technologies

  • 5G
  • Artificial Intelligence
  • Blockchain
  • Cryptocurrency
  • Deepfake
  • E-Commerce
  • Healthcare
  • IoT
  • Quantum Computing

Frameworks

  • CIS Controls
  • CCPA
  • GDPR
  • NIST
  • 23 NYCRR 500
  • HIPAA

Repository

  • Books
  • Certifications
  • Definitions
  • Documents
  • Entertainment
  • Quotes
  • Reports

Threats

  • APTs
  • DDoS
  • Insider Threat
  • Malware
  • Phishing
  • Ransomware
  • Social Engineering

© 2023 | CyberMaterial | All rights reserved.

World’s #1 Cybersecurity Repository

  • About
  • Legal and Privacy Policy
  • Site Map
No Result
View All Result
  • Audience
    • Cyber Citizens
    • Cyber Professionals
    • Institutions
  • Highlights
    • Blog
    • CyberDecoded
    • Cyber Review
    • CyberStory
    • CyberTips
  • Cyber Risks
    • Alerts
    • Attackers
    • Domains
    • Incidents
    • Threats
  • Opportunities
    • Events
    • Jobs
  • Repository
    • Books
    • Certifications
    • Cheat Sheets
    • Courses
    • Definitions
    • Frameworks
    • Games
    • Hardware Tools
    • Memes
    • Movies
    • Papers
    • Podcasts
    • Quotes
    • Reports
  • Report Cyber Incident
  • GET HELP

Subscribe to our newsletter

© 2022 Cybermaterial - Security Through Data .

Welcome Back!

Sign In with Google
Sign In with Linked In
OR

Forgotten Password? Sign Up

Create New Account!

Sign Up with Google
Sign Up with Linked In
OR

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.