Security News > 2022 > December > LEGO BrickLink bugs let hackers hijack accounts, breach servers
Security analysts have discovered two API security vulnerabilities in BrickLink.com, LEGO Group's official second-hand and vintage marketplace for LEGO bricks.
BrickLink is the world's largest online community of LEGO fans, with over a million registered members.
Two API security issues discovered by Salt Security could have allowed an attacker to take over members' accounts, access and steal personally identifiable information stored on the platform, or even gain access to internal production data and compromise internal servers.
Salt Security's analysts discovered the vulnerabilities while experimenting with user input fields on the BrickLink website.
Using the target's Session ID exposed on a different page, an attacker could leverage the XSS flaw to hijack the session and take over the target's account.
The security researchers reported the discovered vulnerabilities to LEGO, and the company took action to fix all issues.
News URL
Related news
- Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
- BT unit took servers offline after Black Basta ransomware breach (source)
- APT29 Hackers Target High-Value Victims Using Rogue RDP Servers and PyRDP (source)
- White House links ninth telecom breach to Chinese hackers (source)
- Hackers steal ZAGG customers' credit cards in third-party breach (source)