Lego site vulnerabilities highlight API security gaps
What's old is new again: Lego site BrickLink was found vulnerable to cross-site scripting and other well-understood types of attacks, intensifying scrutiny on API security.
API security researchers published a report this week about significant vulnerabilities in a website owned by toy company Lego Group. Industry experts say it reflects a common application security gap.
A Salt Labs researcher first reported vulnerabilities he found on BrickLink, an online marketplace for secondhand Lego sets, to Lego Group in October. Salt Labs is part of Salt Security, an API security vendor; BrickLink, founded in 2000, was acquired by Lego Group in 2019. Lego Group, which is not a Salt Security customer, has since mitigated the vulnerabilities that could have allowed user account takeover via cross-site scripting (XSS) and the discovery of sensitive data such as user passwords using XML external entities (XXE).
Without a patch, these API security loopholes could have put a significant number of consumers at risk, given the popularity of Lego and BrickLink -- Salt researchers estimated BrickLink has more than 1 million registered users.
Salt's probe of BrickLink was part of a series of investigations into popular consumer websites for API security vulnerabilities, which the company's researchers said frequently yield similar results.
"Out of every three API services that we look at, we find at least one severe vulnerability," said Yaniv Balmas, vice president of research at Salt Security.
Techniques such as XSS and XXE processing have long been tricks of the cyber attackers' trade, and protecting against them a familiar part of IT security hygiene, he said. But increased reliance on APIs amid the shift to cloud computing and web applications has them surfacing again.
"These textbook vulnerabilities didn't really go away once APIs came -- it's just a different landscape," Balmas said. "They may be even more relevant [now] because [APIs] make them more approachable to attackers."
Lego Group did not respond to a request for comment from TechTarget Editorial this week. A Salt Security spokesperson said Lego Group does not comment on vulnerability disclosures or confirm patches as a matter of policy, but Balmas said Salt Labs researchers independently verified that the vulnerabilities were no longer present on BrickLink in November.
'Once you've found them, reusing them is a kid's game'
Salt Labs initially researched the main Lego.com website, but found that BrickLink was more susceptible to API security issues because it offers a wider range of functionality, such as searching for coupons or posting a list of wanted items. These areas of the BrickLink website contain text fields that allow users to freely type, which Salt researchers showed could serve as a starting point for potential attacks.
The coupon search allowed for HTML code injection onto the rendered webpage, which the web server should have sanitized, but didn't, according to the Salt Labs report. From there, it was a short leap to insert JavaScript code to execute an XSS attack. Using Burp Suite vulnerability scanning tools to uncover session ID data on another section of the site's code allowed for a full account takeover, provided that a targeted user clicked a malicious link.
"Finding [these vulnerabilities] is not an easy thing to do -- it takes some skill," Balmas said. "But once you've found them, reusing them is a kid's game. Anyone can do that."
Chaining vulnerabilities -- as Salt Security researchers did by combining XSS and exposed session ID data with a malicious link -- is similar to an approach taken by an attacker that breached the FBI's InfraGard service, said Daniel Kennedy, an analyst at 451 Research, a division of S&P Global Market Intelligence.
"It's not so straightforward that it's a single attack against an API, yet it's a good example of how a leak issue in an API can be combined by an attacker with an issue -- in this case, an attack in another place -- in a web application," Kennedy said of the Salt Labs investigation. "The InfraGard breach ... has a somewhat similar profile with an API leveraged after successfully completing another attack -- in that case, a form of identity spoofing."
Meanwhile, BrickLink's Wanted List section presents an endpoint for users to upload XML-formatted lists of Lego pieces and sets they are looking for. A Salt Labs researcher used an XXE injection attack delivered via this endpoint to prompt the web server to disclose confidential information, such as the contents of its password file. Such an attack could also potentially lead to server-side request forgery attacks similar to those used in a high-profile breach of Capital One in 2019, depending on the underlying infrastructure.
"[The XXE vulnerability] allowed us to try and access places the web server was allowed to reach, whether that's the internal network or servers belonging to partners, if it was connected to that," Balmas said.
Salt Labs didn't determine whether such connections existed, however.
"I only showed that I could read arbitrary files on the server," said Shiran Yodev, the Salt Security researcher who performed the investigation, in an interview this week. "We believed this was severe enough for the publication [of these] issues, but we didn't want to actually attack the server and steal data. So that's where we stopped."
Support for testing APIs was chosen as the most important feature for application security tools among 401 respondents to a 2022 survey by S&P Global Market Intelligence.
API security: A DevSecOps hot potato
Given the "textbook" nature of these vulnerabilities, why did they appear on the website of a household name company in 2022? Industry experts said the evolving nature of enterprise API security practices might be to blame.
"The API security space isn't new, but the exponential increase in the dependency on APIs in web applications and microservices architectures is changing the nature of protection requirements, just as a result of increased scale and bad actor attention," Kennedy said.
A vulnerable API endpoint might not be immediately obvious to a development team and might not be as visible to a security team either, so attackers might be able to exploit it with some impunity.
Fernando MontenegroSenior principal analyst, Omdia
API security can fall through organizational cracks at enterprises, where it sits at the intersection -- and potential no man's land -- between developers, security operations and business groups, said Fernando Montenegro, senior principal analyst at Omdia.
"It is an area of high potential for miscommunication, where issues might be misunderstood or overlooked," Montenegro said. "A vulnerable API endpoint might not be immediately obvious to a development team and might not be as visible to a security team either, so attackers might be able to exploit it with some impunity."
Attacks on public-facing APIs can be technically difficult to weed out from normal user interactions with conventional tools, which has enterprises turning to new startups whose products use machine learning to detect anomalous API behavior. Some API security experts have called for a new technique called shield right to balance real-time API security threat detection in production with secure coding practices by developers. The Open Web Application Security Project standards organization has a list of the top 10 vulnerabilities specific to APIs.
Awareness of API security as a key area of concern is growing, according to recent analyst surveys of enterprise IT pros.
In a November survey from TechTarget's Enterprise Strategy Group, 45% of respondents identified APIs as the elements of the cloud-native application stack most susceptible to compromise among the 350 IT and cybersecurity professionals who participated. Attacks that resulted in the loss of data due to insecure use of APIs also topped the list of the types of cybersecurity incidents organizations have experienced, reported by 38% of the survey's respondents.
API security -- specifically, API security testing that can be shifted left into the software delivery pipeline -- was the most important feature cited by IT pros considering application security tools, according to a survey by S&P Global. More than 80% of the survey's 401 respondents said support for testing APIs was "very important" or "somewhat important" when selecting an application security vendor.
"API security is a hot topic," said Melinda Marks, an analyst at Enterprise Strategy Group. "Organizations are just starting to understand that you can attack the APIs themselves. It's a separate risk from just hacking the application."
Beth Pariseau, senior news writer at TechTarget Editorial, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.
