A collection of colourful building bricks

Lego’s Bricklink steps on cross site scripting blocks

If you build it, they will come. In Lego’s case, they built it and certain security flaws meant someone could have taken it all apart.

PCMag reports that flaws in Lego’s Bricklink service meant that it was open to potential data leakage or even account hijacking. Those flaws, now addressed, potentially impacted users of the Bricklink portal. If you’re unfamiliar with the site, it’s the biggest official marketplace for Lego bricks in the world, with a million or so registered users. That’s a whole lot of Lego.

If there’s ever been an incredibly obscure or hard to find piece you needed for that cool Lego project you’ve been working on, there’s a good chance you’d have found what you were looking for.

What researchers found while looking at user input fields was a way to build out some cross-site scripting (XSS) issues. XSS is a type of injection attack, where vulnerable web applications are exploited in ways which allows for malicious script to be injected into the page. Shall we take a look?

Building a path to sanitation

According to Salt Security, the web server wasn’t sanitising user input correctly which led to code injection in the rendered web page. They were able to inject and execute JavaScript code as a result.

From here, they were able to chain the above technique to a payload which would read code on the page containing the session ID value and send it to their own server. The unprotected session ID tagged onto the XSS could result in a full account takeover, along with access to data related to the account. This would include shipping address, orders, message history, and email address.  As the researchers point out, this is a bit limiting as it requires some level of victim interaction to pull off successfully.

When your “most wanted” is an external entity attack

The second issue was something which would require no victim interaction to achieve. BrickLink allows users to populate a wanted list page. Desperate for that rare leg from the 1970s, or a piece of a treasure island from the 80s? No problem, upload the data as Extensible Markup Language (an XML file) and take it from there.

Once you hit the continue button, your parts magically appear in readable format, complete with an image of the desired item, and onto your wanted list it goes (think “Amazon wish list”, but for Lego).

The researchers were able to make use of an XML external entity (XXE) attack, which can interfere with regular processing of XML data. Their testing allowed them to pull up the contents of the /etc/passwd file, and could have resulted in Server Side Request Forgery attacks (SSRF). SSRF is very bad, because it can give attackers the ability to fool a server into granting access to places which would not otherwise be available. SSRF issues are unfortunately common, and need to be acted upon quickly.

Disclosure and response

These vulnerabilities were discovered on October 18, with technical details disclosed on October 23. Although the Lego security team confirmed the disclosure on the 25th, they went on to say that internal policy is not to comment as to whether specific issues have been fixed. For the Salt Security team’s part, they have confirmed through their own testing on November 10 that the issues appear to have been addressed.

Your bricks, for now, remain standing.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.