Security News > 2022 > December > LEGO BrickLink bugs let hackers hijack accounts, breach servers
Security analysts have discovered two API security vulnerabilities in BrickLink.com, LEGO Group's official second-hand and vintage marketplace for LEGO bricks.
BrickLink is the world's largest online community of LEGO fans, with over a million registered members.
Two API security issues discovered by Salt Security could have allowed an attacker to take over members' accounts, access and steal personally identifiable information stored on the platform, or even gain access to internal production data and compromise internal servers.
Salt Security's analysts discovered the vulnerabilities while experimenting with user input fields on the BrickLink website.
Using the target's Session ID exposed on a different page, an attacker could leverage the XSS flaw to hijack the session and take over the target's account.
The security researchers reported the discovered vulnerabilities to LEGO, and the company took action to fix all issues.
News URL
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- HPE investigates breach as hacker claims to steal source code (source)
- CISA: Hackers still exploiting older Ivanti bugs to breach networks (source)
- Hackers exploiting flaws in SimpleHelp RMM to breach networks (source)
- Chinese hackers breach more US telecoms via unpatched Cisco routers (source)
- Orange Group confirms breach after hacker leaks company documents (source)