Source: Android Central
What you need to know
- SlickWraps reportedly had a serious vulnerability that could let any knowledgable attacker gain access to customer data and more using its website.
- The firm also rebuffed attempts by security researchers to work towards fixing the vulnerability.
- Taking matters into his own hands, researcher Lynx0x00 used capabilities granted by the vulnerability to warn customers about the breach.
Security is hard. Even firms like Facebook and Twitter, with all the smart people who work there and the high stakes results of failure, still experience data breaches from time to time. It wouldn't be surprising to learn that SlickWraps, a company known for selling cute wrap for your phone and laptops, would have experienced a vulnerability of its own.
What's more concerning is the way the firm went out of its way to actively ignore warnings from a Security Researcher and avoid communicating the breach to its customers, as required by EU Law.
In a breathtaking piece full of twists and turns, Lynx0x00 shared the whole sordid affair on Medium.
Here are some salient excerpts:
On how he got access to the SlickWraps database:
This [phone case customization] page contained an inexcusable vulnerability: anyone with the right toolkit could upload any file to any location in the highest directory on their server (i.e. the "web root"). From there, a simple .htaccess file was uploaded, enabling a path to:
Resumes of current and past SlickWraps employees (incl. selfies, email addresses, home addresses, phone numbers, etc.)
9GB of personal customer photos, uploaded via the SlickWraps phone case customization tool (incl. backups of customer-uploaded pornography).
Due to SlickWraps' blatant disregard for any semblance of operational security, I was effortlessly able to achieve remote code execution and unlock the ability to execute shell commands. For the uninitiated, the ability to execute shell commands is akin to obtaining a skeleton key. It unlocks everything.
A selection of things he could access included:
I was able to add myself as the Owner of their Zendesk platform. Now that I had the ability to receive emails at an inbox which was tied to multiple SlickWraps accounts, I simply sent password resets and further unlocked:
- Full access to their corporate Slack team — one which had 135,000 historical messages contained within it.
- Current account balances and transaction logs for their payment gateways (PayPal and Braintree).
I found that their administrator panel (i.e. the interface for SlickWraps employees and executives to pull reports and manage content on the SlickWraps website) was carelessly protected by a pointless firewall (remember: I had the "skeleton key"). I added myself as an admin user and immediately gained full control over their content management system.
In essence, anyone who accessed the vulnerability could do as they like with SlickWraps users' data. It's a very, very, very serious breach.
https://twitter.com/Lynx0x00/status/1228856602649878530It's not like SlickWraps were unaware of the breach. Lynx details several attempts at making contact with them, from the subtle to the very direct. Each time, not only is he rebuffed, but he is eventually blocked by the SlickWraps twitter account twice. Not a very good look for the company. While the firm is reportedly trying to clean up its exposed areas, it still left the vulnerability open. It's somewhat like changing the doors of your house but leaving the same old locks, a lot of effort for little reward.
Expressing bewilderment at the way events played out, Lynx writes:
https://twitter.com/Lynx0x00/status/1229740632773496832I still cannot grasp why SlickWraps didn't simply communicate with me to learn where the foundational vulnerabilities lay. I was becoming increasingly frustrated by the fact that they were not acting on their obligation to inform customers of the privacy breach. To understand the gravity of this data breach, note that non-compliance of notifying customers of a data breach within the EU can result in administrative fines of up to €20 million, or four percent of a company's global annual turnover — whichever is higher.
Making a mistake is natural. Everyone does it from time to time. The true character metric is how you respond to being found out. In more ways than one, SlickWraps failed the vibe check,
Best Password Managers for Android in 2020
Have you listened to this week's Android Central Podcast?
Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.
We may earn a commission for purchases using our links. Learn more.
The Galaxy S21 Series Report Card: A winning price with some odd holdovers
Samsung's latest flagship launched this week, and while there is an awful lot to love in the Galaxy S21, S21+, and S21 Ultra, no product is perfect. Here's where the S21 strikes gold and where it just struck dirt.
Samsung Galaxy Buds Pro review: The new best
Samsung's aiming squarely at the AirPods Pro with the new Galaxy Buds Pro, but it's done something better: it's made one of the best-sounding wireless earbuds you can buy.
Soundcore Liberty Air 2 Pro review: Sounds about right
Soundcore isn't a household brand just yet, but Anker's headphone division is making a name for itself as the producer of the best-sounding true wireless earbuds under $150.
Block ads, trackers and even some malware with the best Chrome ad blockers
Pop-ups, banners and video ads are at the very least annoying, but many also harbor malware. Here are some ad blockers to help cut through the noise.