Slickwraps Suffers Data Breach After Ignoring Warnings From Security Researcher

[69Mustang]

In the finance world and in any industry with strict regulatory oversight routine audits put pressure on organizations to be at minimum extremely responsive and at best proactive.

Yeah, but this ain't that. This is basically a device accessory internet company... hardly comparable to a finance company and they're definitely not in an even remotely regulated industry. I mean, think of the logistics of trying to essentially "audit the internet". Slickwraps operates in the equivalent of late 1800's Deadwood, SD.

 

[Attirex]

It's a three-man operation focused on selling overpriced stickers.

I expect the owner of the company to be selling your personal data for money.

This. Like a pedophile getting charged with jaywalking....what does it matter? Save the outrage, this data breach shouldn't even be news.

 

[MagicBoy]

🤦‍♂️

RIP Slickwraps. Moral of the story : read your emails, don't stick your head in the sand then act like a Richard.

 

[Amazing Iceman]

If there was negligence from their part (as it seems to be the case), they are doomed.
It's better to learn from your mistakes when someone points them to you, not after something like this has happened.

 

[[AUT] Thomas]

customer base of more than 370,000 users

on their website you can order without creating an account... I doubt everyone is creating an account. Just place the order and be done with it.
So, why is that data ending up in a database without expiration in first place? Even if it is saved for warranty reasons, it could be purged after one year.
There is no point in saving customer data for more than a year unless there is an active account. This kind of data is often outdated and thus unreliable.

And when it comes to financial records only the final invoice is relevant. For that, it's better to just archive the PDF invoices automatically, preferably locally (which is quite easy to accomplish).

 

[Dave-Z]

Archive of the Medium article: http://archive.is/yEIJT
His pen test results: https://files.catbox.moe/fxn9r2.pdf

Thanks for sharing. I read through both of those. All of Slickwraps web site missteps are unacceptable. No one with even the slightest experience in coding or server admin would make them. It's really quite unbelievable.

And, yes, his reports were detailed enough that any hacker anywhere could have easily compromised their systems.

 

[mw360]

I read the ‘security researcher’s’ Medium post, and it’s no wonder he deleted it. He’s not coming out of this smelling of roses either. Right up at the top he boasts about obtaining info including the personal details of the employees, including their phone numbers. He also accessed data showing their customer service helpline was severely backlogged and new cases weren’t being touched for several days.

So what does he do to alert the business owners? He sent an email to customer services. Yep, the one he knew was backlogged. He followed up with cryptic tweets and poked around leaving ‘clues’ on their webserver despite knowing it wasn’t being competently maintained.

For reasons I could easily guess he apparently avoided using any of the contact details he obtained, and avoided outright telling them they had a vulnerability, or offering help. (His email to them isn’t posted but if it’s anything like his stupid tweets it would be meaningless noise to an average service rep). The dude was publicly taunting them for hacker points rather than doing any sort of public service. A concerned citizen with social skills would have dialled one of the phone numbers and had a conversation.

 

[fairuz]

I wonder on what grounds Medium ‘suspended’ that researchers post?

I guess that’s yet another reason not to use blogging services like that for anything remotely important.

Also, if the researcher has been ignored and then blocked as appears to have happened, then public disclosure is the only way. I don’t see an issue with it.

Medium is also an awful site for the reader. You basically have to use Safari reader mode.
[automerge]1582423992[/automerge]

I read the ‘security researcher’s’ Medium post, and it’s no wonder he deleted it. He’s not coming out of this smelling of roses either. Right up at the top he boasts about obtaining info including the personal details of the employees, including their phone numbers. He also accessed data showing their customer service helpline was severely backlogged and new cases weren’t being touched for several days.

So what does he do to alert the business owners? He sent an email to customer services. Yep, the one he knew was backlogged. He followed up with cryptic tweets and poked around leaving ‘clues’ on their webserver despite knowing it wasn’t being competently maintained.

For reasons I could easily guess he apparently avoided using any of the contact details he obtained, and avoided outright telling them they had a vulnerability, or offering help. (His email to them isn’t posted but if it’s anything like his stupid tweets it would be meaningless noise to an average service rep). The dude was publicly taunting them for hacker points rather than doing any sort of public service. A concerned citizen with social skills would have dialled one of the phone numbers and had a conversation.

Agreed if this is true. Security researches have a fairly clear-cut code of ethics, and this doesn't sound like that.
[automerge]1582424230[/automerge]

Unique passwords and 2FA may help with preventing your acount from being hacked and other unrelated accounts being accessed, but it won't help to stop your data from being taken in a data breach.

Yes, only protects your password. Psw managers generate random passwords, and there should be equivalents for other credentials. For example, credit cards are insane. Why can't I give a unique number for every purchase?

Those calling for criminal penalties are missing the point. There are ways to make sure these breaches don't even matter, which is leagues better than "security through litigation." And the governments would be hypocritical in enforcing that given how insecure everything they run is.

 

[russell_314]

Medium is also an awful site for the reader. You basically have to use Safari reader mode.
[automerge]1582423992[/automerge]

Agreed if this is true. Security researches have a fairly clear-cut code of ethics, and this doesn't sound like that.
[automerge]1582424230[/automerge]

Yes, only protects your password. Psw managers generate random passwords, and there should be equivalents for other credentials. For example, credit cards are insane. Why can't I give a unique number for every purchase?

Those calling for criminal penalties are missing the point. There are ways to make sure these breaches don't even matter, which is leagues better than "security through litigation." And the governments would be hypocritical in enforcing that given how insecure everything they run is.

You can? There is a website called privacy.com that you can make a temporary credit card for purchases like this. You can make it for a one time purchase limit the amount or do lots of things. If it’s some shady company that I don’t trust this would be the only way I would go.

 

[fairuz]

You can? There is a website called privacy.com that you can make a temporary credit card for purchases like this. You can make it for a one time purchase limit the amount or do lots of things. If it’s some shady company that I don’t trust this would be the only way I would go.

That's nice, but it needs to be the standard. It'd also be better if the credit card company itself did it to reduce how many entities you have to trust.

 

[macduke]

Glad I always try to check out as guest and use third party payment systems on smaller sites like this. Only thing I ever bought from them was an iMac Pro Space Gray wrap for my 5K iMac, lol. It didn't look nearly as good as the actual iMac Pro I had at work, and yet I've never bothered taking it off because it was such a PITA to apply.

Hope the guy that exposed them doesn't get into trouble. Seems like his attempts at contacting them are well documented, but this just goes to show that it's unfortunately not always a great idea to be the good samaritan. These days wrap companies are a dime a dozen so hopefully their hacked clientele go elsewhere. I know I won't be conducting business with them again!

 

[gsurf123]

Unfortunately any site you frequent and hand your data off to is at risk. The largest vendors are the biggest targets, but more than likely the hardest to penetrate because they are willing to pay the necessary costs associated with protecting yours and their data. Mid-size companies are a tossup. Small companies are a disaster waiting to happen. They do not have the necessary staffing to even begin to understand the risks. The best move for smaller companies is to run their e-commerce through a known entity who has the resources and a vested interest in protecting a company's data. Any small and almost any mid-sized company having their own servers with customer data connected to the Internet is out of their mind. Most have no clue as to the risk involved in Internet connected servers and that it is not a set and forget environment.
[automerge]1582430640[/automerge]

That's nice, but it needs to be the standard. It'd also be better if the credit card company itself did it to reduce how many entities you have to trust.

You can do this with the Apple MasterCard. The functionality to generate numbers is built-in.

 

[macduke]

That's nice, but it needs to be the standard. It'd also be better if the credit card company itself did it to reduce how many entities you have to trust.

Yeah, this definitely needs to be built-in, kinda like how Apple Pay always sends a unique identifier. I love using Apple Pay on websites and it honestly makes me more likely to buy something from a particular site. I don't even really want to get into how much I just dropped on the NFL Shop after the Chiefs won. Between the extreme feeling of bliss that my team finally won it all to the fact that I could quickly tap on the Apple Pay button and have 30 some items delivered to my house, I probably didn't exercise my best financial judgement. Winning the Super Bowl is one hell of a drug…

 

[gsurf123]

Glad I always try to check out as guest and use third party payment systems on smaller sites like this.....

I agree with your best efforts, but the problem is that even though you select guest checkout, the vendor most likely keeps your CC information at least temporarily and possibly permanently. I have a small business that does not do online sales (it would not make sense), so this could not happen to us.

We do accept credit cards, but the card must be present and be inserted into our CC terminal (We cannot key the numbers in manually). It is connected to the Internet, but it does not store any credit card information locally. When a charge is made the CC information is transmitted to the processor via an encrypted connection. From that point on the CC information is gone and all we have is a printout with the name and last 4 digits of the card.

Because our terminal is connected to the Internet we have to complete PCI Compliance every year and we have to agree that our public IP address is subject to penetration testing at anytime by the group performing the PCI Compliance. It does not matter than we do not store card information on a computer or on paper. There is a questionnaire that is a part of the Compliance that is so ridiculously technical that virtually no one could answer the questions with certainty. I call the processor for help answering the questions because even though they are "yes" or "no" they are more like "yes, maybe" or "no, maybe".

All that sounds great in terms of a basic level of security, however you can opt out of doing any of it by agreeing to pay slightly more to process your cards. The price difference is minuscule and some companies probably just pay more to avoid the rules.

 

[69Mustang]

I read the ‘security researcher’s’ Medium post, and it’s no wonder he deleted it. He’s not coming out of this smelling of roses either. Right up at the top he boasts about obtaining info including the personal details of the employees, including their phone numbers. He also accessed data showing their customer service helpline was severely backlogged and new cases weren’t being touched for several days.

So what does he do to alert the business owners? He sent an email to customer services. Yep, the one he knew was backlogged. He followed up with cryptic tweets and poked around leaving ‘clues’ on their webserver despite knowing it wasn’t being competently maintained.

For reasons I could easily guess he apparently avoided using any of the contact details he obtained, and avoided outright telling them they had a vulnerability, or offering help. (His email to them isn’t posted but if it’s anything like his stupid tweets it would be meaningless noise to an average service rep). The dude was publicly taunting them for hacker points rather than doing any sort of public service. A concerned citizen with social skills would have dialled one of the phone numbers and had a conversation.

This is a bassackwards take imo. Being an ****** as you seem to think he was being, is not a crime. Hacking their site is, but that has nothing to do with what you're complaining about in your quote. Basically you're saying he wasn't nice to Slickwraps. So? As many have pointed out, Slickwraps appeared to be stupidly negligent. They topped that security negligence with absurdly ineffective covering by trying to claim discovery of the intrusion in the future. They blocked the guy when he was posting their internal code on Twitter. They're still sanitizing their twitter feed trying to shade blame towards the hacker. There's so much wrong with Slickwraps position in this but you want to drop 3 paragraphs about the guy being socially inept? Okay, I guess. This ain't a both sides deal here.

 

[mac 2005]

If you're going to maintain an editorial tone with this site, then you need to take a journalism class of some sort and implement best practices into your processes. Phrases such as "a clear lie" betray a personal response versus an objective analysis. You don't know whether a typo or intent was involved, so you should report the facts of the situation, not inject an unsubstantiated opinion. Let readers draw their own conclusion.

 

[macduke]

I agree with your best efforts, but the problem is that even though you select guest checkout, the vendor most likely keeps your CC information at least temporarily and possibly permanently. I have a small business that does not do online sales (it would not make sense), so this could not happen to us.

We do accept credit cards, but the card must be present and be inserted into our CC terminal (We cannot key the numbers in manually). It is connected to the Internet, but it does not store any credit card information locally. When a charge is made the CC information is transmitted to the processor via an encrypted connection. From that point on the CC information is gone and all we have is a printout with the name and last 4 digits of the card.

Because our terminal is connected to the Internet we have to complete PCI Compliance every year and we have to agree that our public IP address is subject to penetration testing at anytime by the group performing the PCI Compliance. It does not matter than we do not store card information on a computer or on paper. There is a questionnaire that is a part of the Compliance that is so ridiculously technical that virtually no one could answer the questions with certainty. I call the processor for help answering the questions because even though they are "yes" or "no" they are more like "yes, maybe" or "no, maybe".

All that sounds great in terms of a basic level of security, however you can opt out of doing any of it by agreeing to pay slightly more to process your cards. The price difference is minuscule and some companies probably just pay more to avoid the rules.

As long as it's encrypted and being sent through https or similar it should be fine. I think the main compliance issue would be with the firmware running on the terminal itself and making sure that is updated and that would probably be the responsibility of the vendor.

In my case, like I said, I use third party payment systems so they never see my card info. I'll use Amazon's payments system, Square, or more frequently PayPal. The best one is Apple Pay. But by using a set number of payment systems, I'm limiting the attack vectors to just a few sites. Sure, if one of those gets compromised I'm compromised, but so are hundreds of millions of users. Gives me more time to change all my info as I'm less likely to be compromised right away. On top of that, I always use a credit card online and never a debit card because it protects me from fraud. If something happens to that card, the credit card company takes care of it and wipes the charges. It's a small headache but not a big deal. Once I even had a fraud from an in-person exchange using a terminal dealing with a shady company that wanted a down payment on an apartment (which they lied, they didn't have any available) and refused to refund the down payment. Was moving across the state and didn't have time for that crap. Called them up and it was settled right away. I use credit cards for everything I can and have them set to auto pay the entire balance monthly. Also get cash back rewards.

 

[mw360]

This is a bassackwards take imo. Being an ****** as you seem to think he was being, is not a crime. Hacking their site is, but that has nothing to do with what you're complaining about in your quote. Basically you're saying he wasn't nice to Slickwraps. So? As many have pointed out, Slickwraps appeared to be stupidly negligent. They topped that security negligence with absurdly ineffective covering by trying to claim discovery of the intrusion in the future. They blocked the guy when he was posting their internal code on Twitter. They're still sanitizing their twitter feed trying to shade blame towards the hacker. There's so much wrong with Slickwraps position in this but you want to drop 3 paragraphs about the guy being socially inept? Okay, I guess. This ain't a both sides deal here.

Yes it is a both sides deal. Basically I’m saying he didn’t disclose the vulnerability to them before he went public. They shut him down on Twitter because he was just posting pwnage trophies and taunting them like a hacker. Nowhere in his story does he show where he told them what the vulnerability was or what his intentions were. No matter how much you might despise the negligence of Slickwraps, or what humiliation you think they deserve, the customers were innocent and he should have put their safety first.

 

[fairuz]

This is a bassackwards take imo. Being an ****** as you seem to think he was being, is not a crime. Hacking their site is, but that has nothing to do with what you're complaining about in your quote. Basically you're saying he wasn't nice to Slickwraps. So? As many have pointed out, Slickwraps appeared to be stupidly negligent. They topped that security negligence with absurdly ineffective covering by trying to claim discovery of the intrusion in the future. They blocked the guy when he was posting their internal code on Twitter. They're still sanitizing their twitter feed trying to shade blame towards the hacker. There's so much wrong with Slickwraps position in this but you want to drop 3 paragraphs about the guy being socially inept? Okay, I guess. This ain't a both sides deal here.

The right way is to clearly communicate the vulnerability to the company in private well before you go public. There's no excuse to do anything but that.

 

[Tech198]

The last thing i would is is promote how bad something is 'on a public internet'

The right way is to clearly communicate the vulnerability to the company in private well before you go public. There's no excuse to do anything but that.

No,, the right way is 'publicly' know the communication, otherwise it could be fake.

 

[SRLMJ23]

I won't do business with them ever again. Incompetent companies like that should go out of business. I hope they do.

Oh, I can see them filing for bankruptcy or straight up going out business, which is what I would like to see for all of you that now have your data breached. Fortunately, I never ordered a thing from them...hell, I have never even been to their website.

This is total BS though! For God's sake, they were warned and did NOTHING. I hope the lawsuits pile up on these asshats, and you all get a little something, which I know does not help the fact your data is out there with someone that you have no clue what their true intentions are.

God, this would piss me off beyond belief...hell...I am already pissed off and this does not even effect me. I just feel for the people on this site that got their information breached, because I have come to know a lot of people on MacRumors, and there are a lot of nice, generous, overall great people on this site!

 

[69Mustang]

The right way is to clearly communicate the vulnerability to the company in private well before you go public. There's no excuse to do anything but that.

You're talking about responsible disclosure. I agree that it's how things should be done. Was he looking for 15 minutes of shine? Idk, probably. However, his lack of responsible disclosure doesn't lessen SW's culpability. There's no equivalency here. Responsible disclosure is not a requirement. We'd like everyone to be morally upright, but that ain't realistic in any sense. It is incumbent upon SW to responsibly secure customer data. On that task, they failed spectacularly.

Yes it is a both sides deal. Basically I’m saying he didn’t disclose the vulnerability to them before he went public. They shut him down on Twitter because he was just posting pwnage trophies and taunting them like a hacker. Nowhere in his story does he show where he told them what the vulnerability was or what his intentions were. No matter how much you might despise the negligence of Slickwraps, or what humiliation you think they deserve, the customers were innocent and he should have put their safety first.

We'll agree to disagree. Basically you want to kill the messenger because of the way he delivered the message. Nowhere in the story does he show where he told them what the vulnerability was or what his intentions were. True. Could that have been because the blocked him? Hard to find out what's going on when one refuses to communicate.
Let's say he's a world class turd looking for some shine in the spotlight. So? Let's not do hyperbole. No one's safety was at risk. The customers were innocent, but it wasn't the hacker's job to protect them. That responsibility belonged to SW. You seem hellbent on diminishing their culpability here. Not really sure why. Every step along the way, they did the exact wrong thing. The blame in this lays squarely at their feet. When a company installs software that says "don't use this in a production environment"... fingers don't get to be pointed elsewhere.

I'm guessing you'll stick with your opinion that this guy should have been nice and moral and done things the right way. I'm not going to argue with that opinion because a small part of me agrees with it. A bigger part of me says the focus should solely be on SW and their missteps from start to finish... because that's where the missteps occurred. From start to finish.

 

[nikon1]

Hopefully, as this news breaks, their extreme lack of security & unwillingness to “do the right thing” will put them on the scrapheap of other companies run by clueless morons. As far as their “3rd party Customer Service” — all I can say is you get what you pay for — and now SlickWraps will be paying for their “lowest bidder supports our customers!”

This company deserves to be buried and their “executives” spend some time in jail.

 

[LizKat]

The biggest problem remains corporate interest in having only as much security as does not noticeably impede conduct of business.. even business that should have been conducted otherwise and ends up being conducted as "emergency access to fix an urgent production problem" yada yada.

It's easy for some database administrator to tell a developer to **** off when he asks for an unusual permission. It becomes harder when you're a senior VP on the infotech side trying to tell that to a counterpart on the client side who's asking for an exception to data access rules because of a pressing business matter (like say the prospect of broadcasting "black air" instead of a movie when the exhibition contract data got messed up and it's ten minutes to prime time).

So when you're the infotech guy with the power to grant or deny access and things have escalated to the point where it's your CEO talking to you at that ugly moment of ten minutes to prime time,,,, go figure.

The EU putting real teeth in data protection requirements is at least a start. In the USA prior to that even for multinationals, penalties had remained something of a wrist slap to get caught having paid scant lip service to data security.

Nothing matters more than ability to conduct business as desired by the biz owners.

It's extremely difficult to thread legislative needles between that and some fairly common vulnerabilities in corporate protection of their data. And maybe it should be: overregulation can be as stupid as leaving the back door open, since having 40 locks on it can invite "emergency" workarounds worse than the original vulnerabilities. I broke into my own house once through a kitchen window when the ancient key for the second ancient lock on the door broke off in the cylinder... and I did it by nipping a ladder left sitting on the porch of a neighbor who was not home! But at least in the USA nowadays the prospect of even sensible regulations on data security seems quite the challenge. There's all of K street aligned against it. We should probably be grateful for the EU's pressure on the behemoths we in the states so commonly rely on for transactions and keeping our data secured.

 

[mw360]

You're talking about responsible disclosure. I agree that it's how things should be done. Was he looking for 15 minutes of shine? Idk, probably. However, his lack of responsible disclosure doesn't lessen SW's culpability. There's no equivalency here. Responsible disclosure is not a requirement. We'd like everyone to be morally upright, but that ain't realistic in any sense. It is incumbent upon SW to responsibly secure customer data. On that task, they failed spectacularly.


We'll agree to disagree. Basically you want to kill the messenger because of the way he delivered the message. Nowhere in the story does he show where he told them what the vulnerability was or what his intentions were. True. Could that have been because the blocked him? Hard to find out what's going on when one refuses to communicate.
Let's say he's a world class turd looking for some shine in the spotlight. So? Let's not do hyperbole. No one's safety was at risk. The customers were innocent, but it wasn't the hacker's job to protect them. That responsibility belonged to SW. You seem hellbent on diminishing their culpability here. Not really sure why. Every step along the way, they did the exact wrong thing. The blame in this lays squarely at their feet. When a company installs software that says "don't use this in a production environment"... fingers don't get to be pointed elsewhere.

I'm guessing you'll stick with your opinion that this guy should have been nice and moral and done things the right way. I'm not going to argue with that opinion because a small part of me agrees with it. A bigger part of me says the focus should solely be on SW and their missteps from start to finish... because that's where the missteps occurred. From start to finish.

Now who’s posting three paragraphs? I’m not going to debate right or wrong. I’m just here to point out that Lynx did not give a true warning or disclosure to SW, contrary to what this article, and most of the posters would have you believe. I think SW were incredibly naive about web security, and I think Lynx acted like a prize jerk. Trying to assign responsibility for the results is like trying to commentate on a bum fight.