Hackers can use LEGO BrickLink bugs to hijack accounts and breach servers

Two API security flaws were discovered by security analysts at is the LEGO Group’s vintage and second-hand marketplace for LEGO bricks.

BrickLink, the largest LEGO fan community online with more than a million members, is known as “BrickLink”.

BrickLink homepage


Salt Security discovered two API security flaws that could allow an attacker to gain control of members’ accounts and access, steal, and even compromise, internal production data.

Details about API flaws

Salt Security analysts found the flaws while testing user input fields at BrickLink.

First, there is an XSS (cross-site scripting) vulnerability in the Coupon Search Section’s “Find Username” dialog box. This allowed an attacker inject code and execute it on the target machine by using a special link.

The vulnerable field on the site


An attacker can use the XSS flaw and expose the Session ID of the target on a separate page to steal the session.

Accessing your account will allow you to view all information stored on the platform including email address and shipping address.

This flaw is located at the page “Upload to Wanted List”, where users upload XML files containing LEGO parts that they want to purchase.

Salt Security analysts exploited a weakness in the endpoint parsing system to launch an XML External Entity attack (XXE), which added a reference of an external entity to their file.

They were able to access files and run a server-side request fogery attack (SSRF), which may have the potential to allow them to steal AWS EC2 tokens.

Security researchers reported all vulnerabilities discovered to LEGO. The company then took corrective action.

Cyberattacks increase during the shopping season and are more common in the retail sector. The focus on security and business is less important than the commercial aspects.

Strong account credentials are recommended and two-factor authentication enabled where possible. If possible, it is a smart idea to create guest accounts and virtual/temporary payments cards when placing orders.