What you need to know
- SlickWraps reportedly had a serious vulnerability that could let any knowledgable attacker gain access to customer data and more using its website.
- The firm also rebuffed attempts by security researchers to work towards fixing the vulnerability.
- Taking matters into his own hands, researcher Lynx0x00 used capabilities granted by the vulnerability to warn customers about the breach.
Security is hard. Even firms like Facebook and Twitter, with all the smart people who work there and the high stakes results of failure, still experience data breaches from time to time. It wouldn't be surprising to learn that SlickWraps, a company known for selling cute wrap for your phone and laptops, would have experienced a vulnerability of its own.
What's more concerning is the way the firm went out of its way to actively ignore warnings from a Security Researcher and avoid communicating the breach to its customers, as required by EU Law.
In a breathtaking piece full of twists and turns, Lynx0x00 shared the whole sordid affair on Medium.
Here are some salient excerpts:
On how he got access to the SlickWraps database:
This [phone case customization] page contained an inexcusable vulnerability: anyone with the right toolkit could upload any file to any location in the highest directory on their server (i.e. the "web root"). From there, a simple .htaccess file was uploaded, enabling a path to:
- Resumes of current and past SlickWraps employees (incl. selfies, email addresses, home addresses, phone numbers, etc.)
- 9GB of personal customer photos, uploaded via the SlickWraps phone case customization tool (incl. backups of customer-uploaded pornography).
Due to SlickWraps' blatant disregard for any semblance of operational security, I was effortlessly able to achieve remote code execution and unlock the ability to execute shell commands. For the uninitiated, the ability to execute shell commands is akin to obtaining a skeleton key. It unlocks everything.
A selection of things he could access included:
I was able to add myself as the Owner of their Zendesk platform. Now that I had the ability to receive emails at an inbox which was tied to multiple SlickWraps accounts, I simply sent password resets and further unlocked:
- Full access to their corporate Slack team — one which had 135,000 historical messages contained within it.
- Current account balances and transaction logs for their payment gateways (PayPal and Braintree).
I found that their administrator panel (i.e. the interface for SlickWraps employees and executives to pull reports and manage content on the SlickWraps website) was carelessly protected by a pointless firewall (remember: I had the "skeleton key"). I added myself as an admin user and immediately gained full control over their content management system.
In essence, anyone who accessed the vulnerability could do as they like with SlickWraps users' data. It's a very, very, very serious breach.
It's not like SlickWraps were unaware of the breach. Lynx details several attempts at making contact with them, from the subtle to the very direct. Each time, not only is he rebuffed, but he is eventually blocked by the SlickWraps twitter account twice. Not a very good look for the company. While the firm is reportedly trying to clean up its exposed areas, it still left the vulnerability open. It's somewhat like changing the doors of your house but leaving the same old locks, a lot of effort for little reward.
Expressing bewilderment at the way events played out, Lynx writes:
Making a mistake is natural. Everyone does it from time to time. The true character metric is how you respond to being found out. In more ways than one, SlickWraps failed the vibe check,
There's more happening with this story. Someone else exploited the vulnerability and sent out a mass email using Slickwraps email address to their customers informing them of the security issues. They linked to the blog mentioned above and asked them to contact Slickwraps to complain. They also gave the contact information for my state Attorney General's office.
Yeah + the original reporter's Medium post and the entire Twitter account are gone. Really really odd.
Thank you for signing up to Android Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.