Bugs in Lego Resale Site Allowed Hackers to Hijack Accounts

Security analysts have found bugs in Lego’s second-hand online marketplace that left its users at risk of account hijacking and data leakage.

In a blog post(Opens in a new window), Salt Labs said that the issues, now resolved, affected Lego-owned BrickLink.com, the world’s largest official marketplace for Lego bricks.

The security researchers said that two API security issues could have enabled an attacker to take over BrickLink accounts, and access and steal personally identifiable information stored on the site. The vulnerabilities could have also allowed attackers to gain access to internal production data and compromise internal servers, Bleeping Computer reports(Opens in a new window).

The BrickLink bugs were spotted when Salt Lab analysts were experimenting with user input fields on the marketplace site. 

The first flaw noted by the researchers included a cross-site scripting (XSS) deficiency in the “Find Username” dialog box of the coupon search section which allowed for the “injection and execution” of code that could target a target’s machine.

The flaw, if exploited correctly, means attackers could have access to personal details such as a targeted user’s email address, shipping address, order, and message history, Salt Lab said.

Researchers also exploited a flaw on the “Upload to Wanted List” page where a faulty endpoint parsing mechanism allowed them to launch an attack that could read internal production data. 

The analysts said that they were unable to confirm or deny whether any of the vulnerabilities were exploited.

PCMag contacted Lego for comment on the BrickLink bugs but did not immediately receive a response.

The security analysts encourage any concerned Lego fan to directly contact the brand if they are concerned about the reported vulnerabilities. 

In October, Lego decided to discontinue its Mindstorms range of programmable robots, after 24 years of production. It means the end of Lego’s $359.99 Mindstorms Robot Inventor Kit, which lets Lego-fans build five different robot models out of 949 Lego bricks.