API flaws in a widely used Lego online marketplace could have allowed attackers to take over user accounts, leak sensitive data stored on the platform, and even gain access to internal production data to compromise corporate services, researchers have found.
Researchers from Salt Labs discovered the vulnerabilities in BrickLink, a digital resale platform owned by the Lego Group for buying and selling second-hand Legos, demonstrating that — technology-wise, anyway — not all of the company's toy pieces snap perfectly into place.
Salt Security's research arm discovered both vulnerabilities by investigating areas of the site that support user input fields, Shiran Yodev, Salts Labs security researcher, revealed in a report published on Dec. 15.
The researchers found each of the core flaws that could be exploited for attack in parts of the site that allow for user input, which they said is often a place where API security issues — a complex and costly problem for organizations — arise.
One flaw was a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link, they said. The other allowed for the execution of an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser.
API Weaknesses Abound
The researchers were careful to stress that they didn't intend to single out Lego as a particularly negligent technology provider — on the contrary, API flaws in Internet-facing applications are incredibly common, they said.
There is a key reason for that, Yodev tells Dark Reading: No matter the competency of an IT design and development team, API security is a new discipline that all Web developers and designers are still figuring out.
"We readily find these kinds of serious API vulnerabilities in all sorts of online services we investigate," he says. "Even companies with the most robust application security tooling and advanced security teams frequently have gaps in their API business logic."
And while both flaws could have been discovered easily through pre-production security testing, "API security is still an afterthought for many organizations," notes Scott Gerlach, co-founder and CSO at StackHawk, an API security testing provider.
"It usually doesn't come into play until after an API has already been deployed, or in other cases, organizations are using legacy tooling not built to test APIs thoroughly, leaving vulnerabilities like cross-site scripting and injection attacks undiscovered," he says.
Personal Interest, Rapid Response
The research to investigate Lego's BrickLink was not meant to shame and blame Lego or "make anyone look bad," but rather to demonstrate "how common these mistakes are and to educate companies on steps they can take to protect their key data and services," Yodev says.
The Lego Group is the world’s largest toy company and a massively recognizable brand that can indeed draw people's attention to the issue, the researchers said. The company earns billions of dollars in revenue per year, not only because of children's interest in using Legos but also as a result of an entire adult hobbyist community — of which Yodev admits he is one — that also collects and builds Lego sets.
Because of the popularity of Legos, BrickLink has more than 1 million members that use its site.
The researchers discovered the flaws on Oct. 18, and, to its credit, Lego responded quickly when Salt Security revealed the issues to the company on Oct. 23, confirming the disclosure within two days. Tests conducted by Salt Labs confirmed shortly after, on Nov. 10, that the issues had been resolved, the researchers said.
"However, due to Lego's internal policy, they cannot share any information regarding reported vulnerabilities, and we are therefore unable to positively confirm," Yodev acknowledges. Moreover, this policy also prevents Salt Labs from confirming or denying if attackers exploited either of the flaws in the wild, he says.
Snapping Together the Vulnerabilities
Researchers found the XSS flaw in the “Find Username” dialog box of BrickLinks' coupon search functionality, leading to an attack chain using a session ID exposed on a different page, they said.
"In the 'Find Username' dialog box, a user can write a free text that eventually ends up rendered into the webpage’s HTML," Yodev wrote. "Users can abuse this open field to input text that can lead to an XSS condition."
Though the researchers couldn't use the flaw on its own to mount an attack, they found an exposed session ID on a different page that they could combine with the XSS flaw to hijack a user's session and achieve account takeover (ATO), they explained.
"Bad actors could have used these tactics for full account takeover or to steal sensitive user data," Yodev wrote.
Researchers uncovered the second flaw in another part of the platform that receives direct user input, called "Upload to Wanted List," which allows BrickLink users to upload a list of wanted Lego parts and/or sets in XML format, they said.
The vulnerability was present due to how the site's XML parser uses XML External Entities, a part of the XML standard that defines a concept called an entity, or a storage unit of some type, Yodev explained in the post. In the case of the BrickLinks page, the implementation was vulnerable to a condition in which the XML processor may disclose confidential information that's typically not accessible by the application, he wrote.
Researchers exploited the flaw to mount an XXE injection attack that allows a system-file read with the permissions of the running user. This type of attack also can allow for an additional attack vector using server-side request forgery, which might enable an attacker to gain credentials for an application running on Amazon Web Services and thus breach an internal network, the researchers said.
Avoiding Similar API Flaws
Researchers shared some advice to help enterprises avoid creating similar API issues that can be exploited on Internet-facing applications in their own environments.
In the case of API vulnerabilities, attackers can inflict the most damage if they combine attacks on various issues or conduct them in quick succession, Yodev wrote, something the researchers demonstrated is the case with the Lego flaws.
To avoid the scenario created with the XSS flaw, organizations should follow the rule of thumb "to never trust user input," Yodev wrote. "Input should be properly sanitized and escaped," he added, referring organizations to the XSS Prevention Cheat Sheet by the Open Web Application Security Project (OWASP) for more information on this topic.
Organizations also should be careful in their implementation of session ID on Web-facing sites because it's "a common target for hackers," who can leverage it for session hijacking and account takeover, Yodev wrote.
"It is important to be very careful when handling it and not expose or misuse it for other purposes," he explained.
Finally, the easiest way to stop XXE injection attacks like the one researchers demonstrated is to completely disable External Entities in your XML parser’s configuration, the researchers said. The OWASP has another useful resource called the XXE Prevention Cheat Sheet that can guide organizations in this task, they added.