API Vulnerabilities Discovered in LEGO Marketplace

Application programming interface (API) security vulnerabilities have been discovered in a LEGO resale platform owned by LEGO® Group, which could have put sensitive customer information at risk.

An investigation by Salt Security’s research team, Salt Labs, found two API security flaws within BrickLink, an online marketplace to buy and sell LEGO parts, Minifigures and sets, which has over a million members.

The researchers said the flaws could have enabled threat actors to perform large-scale account takeover (ATO) attacks on customer accounts, access personally identifiable information (PII) user data stored by the platform and gain access to internal production data, potentially leading to a full compromise of BrickLink’s internal servers.

Read more…
Source: Infosecurity Magazine