SlickWraps, maker of wraps and accessories for electronics, was caught with its pants down today. A security researcher known by the Twitter handle @Lynx0x00 (Lynx) posted an article on Medium detailing how easily they infiltrated and gained control of SlickWraps operations. The information left exposed included all past and current customer data, résumés and personal data of employees, all the images used for customized wraps, and API credentials for internal software as well as social accounts.
The Medium post has already been taken down, but you can read an archived snapshot and the penetration test. According to Lynx, the reason for its removal was it contained “copies of private conversations” from when they were looking for another perspective on the vulnerability.
How did this get started? — Lynx first became aware of a swath of general complaints against SlickWraps regarding scam sales in June 2019. Then, a customer looking for basic support in January sparked a renewed interest because the support team used an alleged hack as a scapegoat.
Lynx found, in the phone case customization area, that an upload.php endpoint allowed anyone with the right toolkit to upload files to the webroot and overwrite files.
What was left out in the open? — The initial upload of a .htaccess file opened up employee data, including résumés, as well as 9GB of photos from SlickWraps customizer. Lynx was then able to unlock the ability to send shell commands which granted access to the site’s admin details, the corporate Slack team and its messages, and customer information (email addresses, passwords, physical addresses, phone numbers, and transaction histories). They also accessed the following API credentials:
- MadMimi (an email marketing service provider)
- PayPal Payments Pro (a credit card and payment handler)
- Braintree (a credit card and payment handler)
- ShipHero (a warehouse management system)
- Zendesk (a customer service platform)
- The official Facebook account
- The official Twitter account
- The official Instagram account
What did SlickWraps do about it? — On February 15, Lynx began reaching out to SlickWraps to inform them of the breach. This process took several days which including them getting blocked, unblocked, and reblocked on Twitter. Lynx, who still had access at this point, noticed the company attempting to cover its tracks and patch the vulnerability without notifying its customers (under GDPR, they can get significantly fined for this). Almost humorously, everything they tried did not include the glaring upload vulnerability that set off this chain reaction of access.
Others appeared to be tooling around in the system during this time and at least one hacker sent out emails to customers notifying them of the breach the day the Medium post went live.
Lynx did not send these emails, and they no longer have access to any SlickWraps information.
SlickWraps allegedly sent the following email to all of its users, but some responses on Twitter indicate they haven’t received this information. The statement incorrectly puts February 21 as the first day it was aware of the breach and not the documented February 15. Also, some financial information was involved: the first four and last four numbers of credit cards and the email addresses to PayPal accounts.