SlickWraps Data Breach Exposes Financial and Customer Info
A security researcher has stated that they have allegedly hacked SlickWraps and after receiving no response to emails, publicly disclosed how they gained access to the site and the data that was exposed.
SlickWraps is a mobile device case retailer who sells a large assortment of premade cases and custom cases from images uploaded by customers.
In a post to Medium, a security researcher named Lynx states that in January 2020 he was able to gain full access to the SlickWraps web site using a path traversal vulnerability in an upload script used for case customizations.
Using this access, Lynx stated that they were allegedly able to gain access to the resumes of employees, 9GB of personal customer photos, ZenDesk ticketing system, API credentials, and personal customer information such as hashed passwords, addresses, email addresses, phone numbers, and transactions.
After trying to report these breaches to SlickWraps, Lynx stated they were blocked multiple times even when stating they did not want a bounty, but rather for SlickWraps to disclose the data breach.
"They had no interest in accepting security advice from me. They simply blocked and ignored me," Lynx stated in the Medium post.
Since posting his Medium post, Lynx told BleepingComputer that another unauthorized user sent an email to 377,428 customers using SlickWraps' ZenDesk help desk system.
These emails begin with "If you're reading this it's too late, we have your data" and then link to the Lynx's Medium post.
Some of these customers have posted images of the image to Twitter as seen below.
When BleepingComputer asked Lynx if he knew who was sending out the emails, he told us that it was not them, but they had seen traces of other unauthorized users in SlickWraps' web site as well.
"I saw some activity during my research, maybe they're the same people who sent out the emails? No clue to be honest," Lynx told BleepingComputer.
When we asked why they continued to look for more vulnerabilities instead of simply contacting SlickWraps when they first gained access we were told:
"As a white hat, we want to see how far we can go so we can generate a full report. No point in doing research and reporting the first vulnerability when there's still 10 others."
While Lynx told BleepingComputer that they were always concerned about legal repercussions after performing penetration testing, they felt that due to the severity of the data breach, it needed to be publicly disclosed.
"Companies know that I never intend to harm them and sometimes even offer bounties. This one was different in that sense that they blocked me and did not care about their customers at all. Since this is a major breach, and I exhausted all my other options to contact them, I felt the need to disclose this publicly, in hopes that they fix this asap."
Even with the breach disclosed in the Medium post and technical details having been posted, Lynx told us that the vulnerabilities still exist in the web site and that they still have access.
For those who have used SlickWraps in the past, Lynx has passed along the customer info to Troy Hunt of the Have I Been Pwned data breach notification service.
It is not known if Hunt will add this database to his system, but if he does, customers will be able to check if their email addresses are included in the database provided by Lynx.
For now, it is strongly suggested that all users change their password at SlickWraps and to use a unique password at all web sites that they visit.
BleepingComputer has reached out to SlickWraps with questions but had not heard back at this time.
More News in technology
The Hot Wheels Cybertruck R/C has all the details you would expect for a toy that costs a few hundred dollars, including rows of front and rear lights and the distinctive rear cover with a
U.S. Cellular – the nation's largest regional wireless network operator with around 5 million customers – said it expects to increase spending on its network in 2020 to help fuel 5G launches. Concurrently, the company announced
NASA's Insight probe is an image of perseverance. The landing module deployed a Burrowing heat probe, known as "Mole" at the beginning of 2019 on a mission to deepen Mars to take the
While we're still waiting for Spawn to come to Mortal Kombat 11, artist and creator of the fictional superhero Todd McFarlane has provided a first-look at what Spawn will look like in the fighting game. The