[Updated x2] PSA: If You’ve Ever Bought Anything from SlickWraps, All Your Personal Info Has Been Compromised

An iPhone covered in an grey SlickWraps skin.
SlickWraps

SlickWraps, one of the most well-known device skin manufacturers, seems to have a major security problem on its hands. A security researcher going by the Twitter handle Lynx0x00, managed to make their way into SlickWraps’ systems and compromise seemingly everything. If you’re a SlickWraps customer, it’s time to lock down your credit and change passwords.


Update, 2/21: Shortly after publishing this post, SlickWraps released an official statement via its Twitter account:

https://twitter.com/SlickWraps/status/1230929725192839170?s=20

Update x2, 2/21: The original Medium post detailing this breach is no longer available. You can find an archived version here.

The original report is left intact below.


As he explained in a Medium post, Lynx0x00 first started looking into SlickWraps because of customer service complaints on Twitter. But the real story begins when he saw a claim that hacker breached SlickWraps’ ZenDesk accounts. And so started testing.

It didn’t take long before he had full access to customer databases. The company’s phone case customization area of their website contained a vulnerability that allowed anyone with the right set of tools to load any file to any location in the highest directory on their server. From there, everything else fell like dominoes.

Lynx says he gained access to the company’s databases, Slack, transaction logs for their payment gateways, and even full control of the company’s content management system.

Eventually, he tried to disclose the vulnerability to SlickWraps, both with conventional means (like a well-worded email) and unconventional means (like a vague Tweet with less vague follow-ups). Initially, his attempts at contact went unanswered, and the company even blocked him on Twitter.

Eventually, he managed to get in contact with the SlickWraps social media team, but that discussion went poorly, and the company blocked him again. That led to Lynx publishing his findings on Medium. For its part, SlickWrap hasn’t acknowledged Lynx’s claims, and its Twitter account is radio silent. We’ll update this post if the company does release a statement. (Edit: You can read SlickWrap’s statement above.)

Unfortunately, we have every reason to believe that someone has access to SlickWraps accounts and services. Customers are starting to post emails from the official SlickWraps email account, but written by someone else. Lynx has stated he didn’t write the email.

If you’ve ever purchased anything from SlickWraps you may want to lock down your credit and contact your credit card companies.

You may want to reset passwords too, and if you reuse the same password for many sites, you should stop. We suggest using a password manager to create unique passwords for every website.

via Lynx0x00 on Medium

Josh Hendrickson Josh Hendrickson
Josh Hendrickson has worked in IT for nearly a decade, including four years spent repairing and servicing computers for Microsoft. He’s also a smarthome enthusiast who built his own smart mirror with just a frame, some electronics, a Raspberry Pi, and open-source code. Read Full Bio »

The above article may contain affiliate links, which help support Review Geek.


Our Readers' Favorite Products This Week













PlayStation 5 Digital Edition
195 people were interested in this!




PlayStation 5 Console
170 people were interested in this!




Show More