Glad you did what you (guys?) did! And thanks for posting it here too. Doesn't take the feeling away Lego should have responded differently, but my take is that you [...] (17 months ago, Dec 20, 2022, to Administrative)
[...] Agreed - unfortunately - and thanks for your work and communication with TLG as shown in your article in (URL) Shiran! We need people like you. (17 months ago, Dec 20, 2022, to Administrative)
Well well... Not only that is an utter lie and nobody offered you any "service to fix several potential security loopholes they had identified", but simply disclosed [...] (17 months ago, Dec 20, 2022, to Administrative)
[...] Literally you are the only person who is. No one else cares about this is the slightest. So why make is a bigger deal then it needs to be? (17 months ago, Dec 20, 2022, to Administrative)
[...] I couldn't have said this better myself. I have worked in IT Security and believe me, there are many of these type incidents. Most of these happen because companies [...] (17 months ago, Dec 18, 2022, to Administrative)
[...] My impression of the article was the opposite: The security researchers reported the discovered vulnerabilities to LEGO, and the company took action to fix all issues. [...] (17 months ago, Dec 18, 2022, to Administrative)
[...] That's not how this works. A security researcher isn't a "supplier." The correct response when someone privately discloses a vulnerability is to say thank you [...] (17 months ago, Dec 17, 2022, to Administrative)
[...] Yes and no. If they are white hat hackers, then it is good. If they are a vendor trying to get you to use their service, then it is indeed dirty pool. This seems like [...] (17 months ago, Dec 17, 2022, to Administrative)
[...] I sit near the IT dept at my company (I'm not in IT myself) and vendors pull this stunt all the time. The vendor hopes someone other than the person who decided [...] (17 months ago, Dec 17, 2022, to Administrative)
[...] I don't find Russell's title offensive at all, but you do have a good idea in there about an email blast to sellers. (17 months ago, Dec 17, 2022, to Administrative)
[...] Yep - me too - but you must professionnally know it's not your business (until you're eventually in contract with them) ;-) (17 months ago, Dec 17, 2022, to Administrative)
[...] I'm sure she knows, just like everyone! I wouldn't do any such acronym thing (first), I'd just a CTRL+F on all user Input fields and check if they're [...] (17 months ago, Dec 17, 2022, to Administrative)
Upon closer read.... near the end. So this is good.... "The security researchers reported the discovered vulnerabilities to LEGO, and the company took action to fix all issues." [...] (17 months ago, Dec 17, 2022, to Administrative)
Can you provide some assurance us by telling us the types of security scans that you are running on BrickLink? You don't need to name brands/names of specific tools. Just [...] (17 months ago, Dec 17, 2022, to Administrative)
[...] That was not my take away from your initial post. It felt to me like "No big deal, these bozos are just trying to scam us into using their product/service." (17 months ago, Dec 17, 2022, to Administrative)
[...] Not sure of your point, but it does not make the XSS and XXE vulnerabilities any less concerning. I wrote it off to poor writing/journalism. (17 months ago, Dec 17, 2022, to Administrative)
[...] From the article, which then goes on to describe vulnerabilities totally unrelated to the API: [...] (17 months ago, Dec 17, 2022, to Administrative)