The Slickwraps data leak and the Dirty Cow vulnerability

[German]US Retailer Slickwraps attracted attention because security researchers were able to access protected customer and financial data. The case once again reveals ignorance and unbelievable sloppiness, as a long patchable Dirty Cow vulnerability was exploitable.


Slickwraps is a US-based retailer that sells a wide range of pre-made protective covers for mobile devices. There is also the possibility to have custom made products made with images uploaded by customers.

The privacy incident

The colleagues from Bleeping Computer have prepared the case of the data protection violation here. In an article for Medium, a security researcher named Lynx states that he was able to gain full access to the slickwraps website in January 2020. To do this, he exploited a vulnerability in an upload script used for user customization of smartphone cases.

In the meantime, the article has been set to private and is no longer accessible. There is an information that the post has violated the rules of medium and is being analyzed. The disclosure in the Medium post was made after the security researcher had not received any response to e-mails sent to the provider.

Through the vulnerability, Lynx claims to have gained access to employee CVs, 9GB of personal customer photos, the ZenDesk ticketing system, API access data, and personal customer data including hashed passwords, addresses, email addresses, phone numbers and transactions.

After Lynx tried to report this vulnerability to slickwraps, it was blocked several times, the security researcher said. He explained that he was not interested in the bug bounty premium, but that slickwraps should disclose the privacy violation.


Someone is hacking and sending out emails

Lynx informed Bleeping Computer that another unauthorized user exploited the vulnerability after the media post was published to send an email to 377,428 customers using Slickwraps' ZenDesk helpdesk system.

These emails start with "By the time you read this it will be too late, we have your data" and are then linked to Lynx's medium mail. On Twitter, people have posted screenshots of it.

After Bleeping Computer followed up, Slipwraps had to admit the privacy incident (see tweet above). Lawrence Abrams did a very neat job of reporting this in the Bleeping Computer article.

The dirty backyards

I had read about Bleeping Computer, but 1st in intended to drop it because it's an US Shop, not relevant for European customers bound by GDPR. Then I came across a series of tweets from the MalwareHunter team.

With the above tweet my interest was aroused and I browsed the tweets of the team. Here is a follow-up tweet:

There the sentence 'Having a box vulnerable to Dirty COW (meaning not alone that, but imagine if that is still not fixed…) in 2020' caught my eye. Here is my German article Sicherheitsinfos 21.10.2016, that describes the Dirty Cow vulnerability in the Linux kernel – at that time I was blogging only in German.

The vulnerability CVE-2016-5195 allows standard users to escalate privileges so that files can be overwritten even though read-only access would be allowed. The vulnerability has existed in the Linux kernel for 9 years. And the operators of the platform slickwraps have still not closed it. There is probably a lot in the mess.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Linux, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *