September 22, 2023

When the name Lego comes to mind, all would think of toy bricks and childhood imagination. BrickLink is a digital service provided by Lego, where second-hand Legos sold.

Researchers discovered two API security vulnerabilities in BrickLink. The API security flaws could have allowed for large-scale account takeover attacks on customers’ accounts and server compromise.

The API flaws could have enabled bad actors to manipulate platform users to gain complete control over their accounts and gain access to PII and other sensitive user data stored internally by the platform.


The fiest vulnerability found on “Find Username” dialog box of the coupon search functionality, researchers found a XSS vulnerability that enabled them to inject and execute code on an end user’s machine through a crafted link. Researchers were able to chain the XSS vulnerability with a Session ID exposed on a different page, hijack the session, and achieve account takeover.

The second vulnerability was found on the “Upload to Wanted List” page. The endpoint allows users to upload a list of Lego parts and sets in XML format. Using this feature, the researchers could perform an XEE injection attack. Researchers were able to read files on the web server and execute a server-side request forgery attack. It could be abused in many ways, such as stealing AWS EC2 tokens off the server.

Researchers followed disclosure practices, and Lego remediated all issues swiftly after being informed of them.

This research was documented by researchers from Salt Security.

Leave a Reply

%d bloggers like this: