What you need to know
- SlickWraps reportedly had a serious vulnerability that could let any knowledgable attacker gain access to customer data and more using its website.
- The firm also rebuffed attempts by security researchers to work towards fixing the vulnerability.
- Taking matters into his own hands, researcher Lynx0x00 used capabilities granted by the vulnerability to warn customers about the breach.
Security is hard. Even firms like Facebook and Twitter, with all the smart people who work there and the high stakes results of failure, still experience data breaches from time to time. It wouldn't be surprising to learn that SlickWraps, a company known for selling cute wrap for your phone and laptops, would have experienced a vulnerability of its own.
What's more concerning is the way the firm went out of its way to actively ignore warnings from a Security Researcher and avoid communicating the breach to its customers, as required by EU Law.
In a breathtaking piece full of twists and turns, Lynx0x00 shared the whole sordid affair on Medium.
Here are some salient excerpts:
On how he got access to the SlickWraps database:
This [phone case customization] page contained an inexcusable vulnerability: anyone with the right toolkit could upload any file to any location in the highest directory on their server (i.e. the "web root"). From there, a simple .htaccess file was uploaded, enabling a path to:
Resumes of current and past SlickWraps employees (incl. selfies, email addresses, home addresses, phone numbers, etc.)
9GB of personal customer photos, uploaded via the SlickWraps phone case customization tool (incl. backups of customer-uploaded pornography).
Due to SlickWraps' blatant disregard for any semblance of operational security, I was effortlessly able to achieve remote code execution and unlock the ability to execute shell commands. For the uninitiated, the ability to execute shell commands is akin to obtaining a skeleton key. It unlocks everything.
A selection of things he could access included:
I was able to add myself as the Owner of their Zendesk platform. Now that I had the ability to receive emails at an inbox which was tied to multiple SlickWraps accounts, I simply sent password resets and further unlocked:
- Full access to their corporate Slack team — one which had 135,000 historical messages contained within it.
- Current account balances and transaction logs for their payment gateways (PayPal and Braintree).
I found that their administrator panel (i.e. the interface for SlickWraps employees and executives to pull reports and manage content on the SlickWraps website) was carelessly protected by a pointless firewall (remember: I had the "skeleton key"). I added myself as an admin user and immediately gained full control over their content management system.
In essence, anyone who accessed the vulnerability could do as they like with SlickWraps users' data. It's a very, very, very serious breach.
It's not like SlickWraps were unaware of the breach. Lynx details several attempts at making contact with them, from the subtle to the very direct. Each time, not only is he rebuffed, but he is eventually blocked by the SlickWraps twitter account twice. Not a very good look for the company. While the firm is reportedly trying to clean up its exposed areas, it still left the vulnerability open. It's somewhat like changing the doors of your house but leaving the same old locks, a lot of effort for little reward.
Expressing bewilderment at the way events played out, Lynx writes:
I still cannot grasp why SlickWraps didn't simply communicate with me to learn where the foundational vulnerabilities lay. I was becoming increasingly frustrated by the fact that they were not acting on their obligation to inform customers of the privacy breach. To understand the gravity of this data breach, note that non-compliance of notifying customers of a data breach within the EU can result in administrative fines of up to €20 million, or four percent of a company's global annual turnover — whichever is higher.
Making a mistake is natural. Everyone does it from time to time. The true character metric is how you respond to being found out. In more ways than one, SlickWraps failed the vibe check,