SlickWraps, one of the most well-known device skin manufacturers, seems to have a major security problem on its hands. A security researcher going by the Twitter handle Lynx0x00, managed to make their way into SlickWraps’ systems and compromise seemingly everything. If you’re a SlickWraps customer, it’s time to lock down your credit and change passwords.
Update, 2/21: Shortly after publishing this post, SlickWraps released an official statement via its Twitter account:
Update x2, 2/21: The original Medium post detailing this breach is no longer available. You can find an archived version here.
The original report is left intact below.
As he explained in a Medium post, Lynx0x00 first started looking into SlickWraps because of customer service complaints on Twitter. But the real story begins when he saw a claim that hacker breached SlickWraps’ ZenDesk accounts. And so started testing.
It didn’t take long before he had full access to customer databases. The company’s phone case customization area of their website contained a vulnerability that allowed anyone with the right set of tools to load any file to any location in the highest directory on their server. From there, everything else fell like dominoes.
Lynx says he gained access to the company’s databases, Slack, transaction logs for their payment gateways, and even full control of the company’s content management system.
Eventually, he tried to disclose the vulnerability to SlickWraps, both with conventional means (like a well-worded email) and unconventional means (like a vague Tweet with less vague follow-ups). Initially, his attempts at contact went unanswered, and the company even blocked him on Twitter.
Eventually, he managed to get in contact with the SlickWraps social media team, but that discussion went poorly, and the company blocked him again. That led to Lynx publishing his findings on Medium. For its part, SlickWrap hasn’t acknowledged Lynx’s claims, and its Twitter account is radio silent. We’ll update this post if the company does release a statement. (Edit: You can read SlickWrap’s statement above.)
Unfortunately, we have every reason to believe that someone has access to SlickWraps accounts and services. Customers are starting to post emails from the official SlickWraps email account, but written by someone else. Lynx has stated he didn’t write the email.
— Toneman (@Toneman) February 21, 2020
If you’ve ever purchased anything from SlickWraps you may want to lock down your credit and contact your credit card companies.
You may want to reset passwords too, and if you reuse the same password for many sites, you should stop. We suggest using a password manager to create unique passwords for every website.