Security News > 2022 > December > LEGO BrickLink bugs let hackers hijack accounts, breach servers

Security analysts have discovered two API security vulnerabilities in BrickLink.com, LEGO Group's official second-hand and vintage marketplace for LEGO bricks.
BrickLink is the world's largest online community of LEGO fans, with over a million registered members.
Two API security issues discovered by Salt Security could have allowed an attacker to take over members' accounts, access and steal personally identifiable information stored on the platform, or even gain access to internal production data and compromise internal servers.
Salt Security's analysts discovered the vulnerabilities while experimenting with user input fields on the BrickLink website.
Using the target's Session ID exposed on a different page, an attacker could leverage the XSS flaw to hijack the session and take over the target's account.
The security researchers reported the discovered vulnerabilities to LEGO, and the company took action to fix all issues.
News URL
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- Chinese hackers breach more US telecoms via unpatched Cisco routers (source)
- Orange Group confirms breach after hacker leaks company documents (source)
- Rubrik rotates authentication keys after log server breach (source)
- Silk Typhoon hackers now target IT supply chains to breach networks (source)
- Chinese Hackers Breach Juniper Networks Routers With Custom Backdoors and Rootkits (source)
- Live Ransomware Demo: See How Hackers Breach Networks and Demand a Ransom (source)
- Oracle denies breach after hacker claims theft of 6 million data records (source)
- Chinese Hackers Breach Asian Telecom, Remain Undetected for Over 4 Years (source)
- StreamElements discloses third-party data breach after hacker leaks data (source)