Security News > 2022 > December > LEGO BrickLink bugs let hackers hijack accounts, breach servers
Security analysts have discovered two API security vulnerabilities in BrickLink.com, LEGO Group's official second-hand and vintage marketplace for LEGO bricks.
BrickLink is the world's largest online community of LEGO fans, with over a million registered members.
Two API security issues discovered by Salt Security could have allowed an attacker to take over members' accounts, access and steal personally identifiable information stored on the platform, or even gain access to internal production data and compromise internal servers.
Salt Security's analysts discovered the vulnerabilities while experimenting with user input fields on the BrickLink website.
Using the target's Session ID exposed on a different page, an attacker could leverage the XSS flaw to hijack the session and take over the target's account.
The security researchers reported the discovered vulnerabilities to LEGO, and the company took action to fix all issues.
News URL
Related news
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)
- CISA: Hackers abuse F5 BIG-IP cookies to map internal servers (source)
- USDoD hacker behind National Public Data breach arrested in Brazil (source)
- Schneider Electric confirms dev platform breach after hacker steals data (source)
- Nokia investigates breach after hacker claims to steal source code (source)
- Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' (source)