[German]US Retailer Slickwraps attracted attention because security researchers were able to access protected customer and financial data. The case once again reveals ignorance and unbelievable sloppiness, as a long patchable Dirty Cow vulnerability was exploitable.
Advertising
Slickwraps is a US-based retailer that sells a wide range of pre-made protective covers for mobile devices. There is also the possibility to have custom made products made with images uploaded by customers.
The privacy incident
The colleagues from Bleeping Computer have prepared the case of the data protection violation here. In an article for Medium, a security researcher named Lynx states that he was able to gain full access to the slickwraps website in January 2020. To do this, he exploited a vulnerability in an upload script used for user customization of smartphone cases.
In the meantime, the article has been set to private and is no longer accessible. There is an information that the post has violated the rules of medium and is being analyzed. The disclosure in the Medium post was made after the security researcher had not received any response to e-mails sent to the provider.
Through the vulnerability, Lynx claims to have gained access to employee CVs, 9GB of personal customer photos, the ZenDesk ticketing system, API access data, and personal customer data including hashed passwords, addresses, email addresses, phone numbers and transactions.
After Lynx tried to report this vulnerability to slickwraps, it was blocked several times, the security researcher said. He explained that he was not interested in the bug bounty premium, but that slickwraps should disclose the privacy violation.
Advertising
Someone is hacking and sending out emails
Lynx informed Bleeping Computer that another unauthorized user exploited the vulnerability after the media post was published to send an email to 377,428 customers using Slickwraps' ZenDesk helpdesk system.
Well that's a big old yikes from @SlickWraps pic.twitter.com/28SOEMIBZ9
— Toneman (@Toneman) February 21, 2020
These emails start with "By the time you read this it will be too late, we have your data" and are then linked to Lynx's medium mail. On Twitter, people have posted screenshots of it.
We sent an email to all Slickwraps users today regarding a data leak that occurred. You can read in more detail about it and the actions we took here: pic.twitter.com/RPDxu41MCO
— Slickwraps (@SlickWraps) February 21, 2020
After Bleeping Computer followed up, Slipwraps had to admit the privacy incident (see tweet above). Lawrence Abrams did a very neat job of reporting this in the Bleeping Computer article.
The dirty backyards
I had read about Bleeping Computer, but 1st in intended to drop it because it's an US Shop, not relevant for European customers bound by GDPR. Then I came across a series of tweets from the MalwareHunter team.
Crazy story… https://t.co/3IBVws4aHB
— MalwareHunterTeam (@malwrhunterteam) February 21, 2020
With the above tweet my interest was aroused and I browsed the tweets of the team. Here is a follow-up tweet:
One thing needs to be said: the people sending these emails included links for a lot of people based on their location (2nd screenshot is a random example, but doing a search on Twitter shows lots more), which shows they actually spent time on this, not just got in & mass mail… pic.twitter.com/OrFwnPECXg
— MalwareHunterTeam (@malwrhunterteam) February 21, 2020
There the sentence 'Having a box vulnerable to Dirty COW (meaning not alone that, but imagine if that is still not fixed…) in 2020' caught my eye. Here is my German article Sicherheitsinfos 21.10.2016, that describes the Dirty Cow vulnerability in the Linux kernel – at that time I was blogging only in German.
The vulnerability CVE-2016-5195 allows standard users to escalate privileges so that files can be overwritten even though read-only access would be allowed. The vulnerability has existed in the Linux kernel for 9 years. And the operators of the platform slickwraps have still not closed it. There is probably a lot in the mess.
