Skip to content

2 API vulnerabilities found in LEGO Marketplace

  • by
  • 2 min read

A group of researchers from Salt Labs has discovered two API vulnerabilities in BrickLink, an online marketplace with over a million members used to buy and sell LEGO parts, figurines and kits. The bugs have been fixed following safe disclosure to LEGO. 

Overall, the two vulnerabilities combined could let attackers do the following when exploited:

  • Manipulate users to gain complete access to their accounts.
  • Leak Personally Identifiable Information (PII) and other sensitive data stored by the site. 
  • Gain access to internet production data, potentially leading to a full takeover of the company’s internal servers. 

The researchers claim that their tests show that LEGO has fixed these vulnerabilities. Due to an internal policy enforced by the LEGO security team, the researchers cannot share any information regarding the reported vulnerabilities, whether or not the attack vectors have been exploited or confirm the fixes positively. 

The first was an XSS or cross-site scripting vulnerability that enabled attackers to inject and run malicious code on a victim’s machine using a maliciously generated link. The bug resided in the ‘Find Username’ input field in the website’s coupon search feature. 

Researchers were able to link this XSS vulnerability with a Session ID exposed on another page on the site, which allowed them to hijack the user session and remotely take over the account. 

The second vulnerability was found in the website’s “Upload to Wanted List” feature, where an attacker could run an XML External Entity (XXE) injection attack. Successful exploitation can give the attacker read access to web server files and further carry out a server-side request forgery (SSRF) attack. This can expose the server’s AWS EC2 tokens. 

These APIs formed the backend of the marketplace’s mobile and web applications, and nearly 80% of the overall traffic on the site went through them. Since the vulnerabilities are unique and specific to the organisation, they’re zero days by definition. 

In the News: Eufy is going back on its promises following major security blunder


Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: