Utility programming interface (API) safety vulnerabilities have been found in a LEGO® Group-owned LEGO reseller platform, which might have put delicate buyer info in danger.
An investigation by Salt Safety’s analysis group, Salt Labs, discovered two API safety flaws inside BrickLink, a web-based market for getting and promoting LEGO components, minifigures and units, which has greater than one million members. .
The researchers mentioned the issues might have allowed risk actors to carry out large-scale account takeover (ATO) assaults on buyer accounts, accessing customers’ personally identifiable info (PII) information saved by platform and achieve entry to inner manufacturing information, which might result in a full compromise of BrickLink’s inner servers.
talking to infosecurity Journal throughout Black Hat Europe 2022, Yaniv Balmas, Vice President of Analysis at Salt Safety, defined: “What we discovered there places all customers of that system in danger: we might entry all saved consumer info, together with private information and The credit score. card particulars.”
The problems have been mounted after Salt Labs adopted disclosure practices coordinated with LEGO.
The primary safety problem was found within the “Search Username” dialog of the coupon search operate. Right here, the researchers found a cross-site scripting (XSS) vulnerability that allowed them to inject and execute code on the sufferer’s end-user machine through a crafted hook. The testers then chained the XSS vulnerability with an uncovered session ID on a unique web page, permitting them to hijack the session and obtain ATO. This strategy may very well be used for a complete ATO or to steal delicate consumer information, based on Salt Labs.
The second vulnerability was situated inside BrickLink’s ‘Get on Wished Record’, during which the researchers executed an XML Exterior Entity (XXE) injection assault. This happens when a misconfigured XML parser processes an XML enter that incorporates a reference to an exterior entity.
This tactic allowed them to learn information on the internet server and execute a server-side request forgery (SSRF) assault, which may very well be used for numerous nefarious means, together with stealing AWS EC2 tokens from the server.
Balmas, who heads Salt Labs’ offensive safety group, emphasised that each one API vulnerabilities are distinctive and particular to the group in query. “They’re zero days by definition,” he commented.
The usage of APIs, which operate because the back-end framework for net and cellular purposes, has elevated exponentially within the final 5 years, with an estimated 80% of all Web visitors routed via these interfaces, Balmas famous.
That is elevating vital safety considerations, as Salt Safety discovered a 117% enhance in API assault visitors over the previous 12 months.
Balmas mentioned: “APIs have change into one of many largest and most important assault vectors for having access to enterprise techniques and consumer information. As organizations quickly scale, many are unaware of the sheer quantity of API safety dangers and vulnerabilities that exist inside their platforms, leaving companies and their beneficial information uncovered to dangerous actors.”
He believes that safety points are primarily attributable to an extreme concentrate on quickly growing APIs for performance, resulting in safety being uncared for. Consequently, cybercriminals more and more view APIs as a simple goal.
“Once you go into manufacturing that quick, it means there are loads of code snippets that have not been verified but,” Balmas famous.
He careworn that it’s important for organizations to make sure that safety is constructed into APIs on the growth stage, which requires additional testing and collaboration with safety groups. Moreover, there must be extra consciousness of widespread “classes” of vulnerabilities to assist determine and stop them from occurring. “When you recognize these classes, it could possibly allow you to stop them within the first place,” Balmas added.
In November 2022, Akamai analysis discovered that the quantity of net software and API assaults detected within the final 12 months elevated 3.5 occasions over the earlier 12 months within the monetary providers trade.
–
API Vulnerabilities Discovered in LEGO Marketplace
