Perhaps you had more luck with SlickWraps than I did. Maybe you love your wrap, and found it easy to apply. Perhaps it didn’t require a hairdryer, or told you in the box if it did? Let’s say you had a perfect experience with SlickWraps. All of that ended a few weeks ago. Because, if you let SlickWraps store any of your data, and I do mean any of it, hackers got their hands on your information.
In a Medium post, penetration tester Lynx0x00 described how they were able to get into SlickWraps systems. It was shockingly easy. Furthermore, when they tried to get SlickWraps to fix the flaws, SlickWraps ignored the warnings. As a result, many hackers may have SlickWraps’ full database of client data.
Regardless of what you thought before, you can’t be happy with SlickWraps anymore.
How SlickWraps Failed Their Customers
Good thing the folks who did this hack say they only took email addresses, right? Right?
First, some malicious hackers got into SlickWraps’ servers a few months ago. This got other hackers involved. Security-conscious companies often hire penetration Testers (“Pen-testers”), also known as “White Hat Hackers,” to test their software. These hackers try their best to get in, and then reveal how they did it. This allows the company to go back and fix their software. Some companies merely offer “bug bounties,” large sum payments to people who can break into their systems. The intention is to do whatever you can to improve to keep your customers safe.
The first time SlickWraps was hacked, they had an opportunity to learn from it. They didn’t. In fact, they didn’t even reveal the hack to their customers, as is required for any company who does business in the EU, where consumer protection laws do not allow companies to cover up hacks. The second(?) time they were hacked was by white hat hacker Lynx0x00. Lynx followed standard pen testing procedure. They took meticulous notes and found as much data as they could, then left everything in place on their way out. Then they told SlickWraps about the hack before informing the public. Or, rather, they tried to inform SlickWraps.
How’d It Happen?
I read through the pen testing result document Lynx produced, and it’s shockingly bad. It would be like defending your apartment with a “Do not enter, please” sign, instead of a lock. You can read the technical document for yourself here, but to simplify, SlickWraps has a feature that allows people to upload photos for custom skins. You could upload any file type, which is a gigantic flaw on its own. You could upload a file to a different directory. Using this, you could add a method to execute code on the host device. There, you could wander around their directories, finding information, making yourself have full permissions as a high-level employee, and even gaining access to all customer information. If it helps with the explanation, it’s as though Lynx was able to sneak a drone into a person’s house, control it remotely, and do whatever they wanted inside.
Lynx found criminally negligent security. Some of the code uncovered literally had comments in it stating that it was for test purposes only, and did not feature the security software required to use it in a production environment. SlickWraps’ engineers ignored those warnings, likely to meet an arbitrary deadline enforced by some overzealous project manager focusing on sprint burndown. The engineers will likely catch all the flak for it though. Fellow engineers, this is why, when you uncover something like this, always make your complaints in writing, so there’s evidence you tried to repair a security flaw, but management stopped you. It could save your career and often forces project managers to add time to a project because they know they’ll take the blame if anything goes wrong.
Where SlickWraps Failed
SlickWraps failed their customers so many times here. First, in implementing rushed code without proper security or pre-launch pen testing. Then, after the first time they were hacked, by not informing users and making changes. Then a third time, when, after a white hat hacker got in, they refused to hear from them. In fact, SlickWraps blocked Lynx on Twitter. They only unblocked them when Lynx went back into their database, found direct email addresses to the CEO, and requested to be unblocked. They still didn’t get an engineer in on the discussion. Lynx wanted only one thing: to get SlickWraps to improve their security and warn their customers. They weren’t even asking for money.
SlickWraps ignored an inconvenient truth because they didn’t want to deal with the repercussions. Now their customers are all at risk.
What to do if You Bought SlickWraps
Well that's a big old yikes from @SlickWraps pic.twitter.com/28SOEMIBZ9
— Toneman (@Toneman) February 21, 2020
If you paid for your SlickWraps through PayPal or Apple Pay, something that keeps payment off SlickWraps’ servers, you’re in luck. The hackers may have your email address, perhaps your shipping address, but they won’t have any payment information. You can probably see where this is going. If you did store your credit card information with SlickWraps, there’s a chance hackers have it.
Watch your credit score closely, and consider monitoring that will alert you if anyone tries to open a new line of credit in your name. Also watch your purchases carefully, and ensure your credit history always matches your own purchases. You may want to call up your credit card company. If you tell them that your credit card may have been hacked, they’ll likely send you a new one, and cancel the old one, no questions asked.
Furthermore, consider a different company. SlickWraps hires bots and trolls to boost their brand online. They harass people who complain about the difficulty of applying skins, or the lack if instructions for application. Insult the design or the difficulty of a good installation online, and expect ire. Instead, consider dbrand. They also make skins, and have better customer service and reviews. I actually used their installation videos to help me figure out what went wrong with my Slickwraps installs. Plus, they didn’t spend weeks ignoring hackers, both black and white hat, who warned them of issues, endangering every one of their customers.
SlickWraps showed just how little they care for their customers. You should listen to them.
Sources:
- Machael Allison, Android Central
- Corbin Davenport, Android Police
- Lynx0x00, Medium (Archive Link) (Technical Document)