The original Medium link has been taken down at time of posting. Archive: http://archive.is/yEIJT While I agree there may have been a mishandling of an attempted disclosure by SlickWraps, the...
The original Medium link has been taken down at time of posting. Archive: http://archive.is/yEIJT
While I agree there may have been a mishandling of an attempted disclosure by SlickWraps, the author took some actions that I did not agree with:
Vague communication with the company about the issue
The author writes in the article that one of their first attempts at establishing a line of collection was to send this tweet, which reads: "Hey @ SlickWraps, You failed the vibe check."; I don't believe that this was a meaningful or professional attempt at contacting a company for a disclosure. The tweet is then followed up by this one, which seems to almost egg them on with a screencap of a CSR exchange taken from the hack.
Unnecessary exploration of systems
I believe the author should not have gone any further as soon as they obtained shell & write access. The revenue numbers and statistics posted at the beginning of the article strike me as unnecessary. There is nothing to gain from posting these + countless other pieces of data from the hack (e.g. CSR emails, screencaps of their stack, logs, etc.), as they could have demonstrated the vulnerability through other means (such as a file upload).
Too much information in the disclosure
The article seems to enumerate every single credential/service/item of interest they found or encountered. Consequently, this provides what is essentially a map of internal systems for nefarious third parties who may be interested in exploiting this vulnerability. Publishing this much information about SlickWraps' systems without obtaining consent from the company & confirmation that the vulnerability has been mitigated is irresponsible.
To me, the article seems like some sort of crusade against the company rather than an attempt at responsible disclosure.
This could have been played out so much better to give this "white hat" security researcher some reputability behind their work. They just gave steps behind every single way to access the data,...
This could have been played out so much better to give this "white hat" security researcher some reputability behind their work. They just gave steps behind every single way to access the data, which hasn't even been secured yet. They are equally at fault at this point, and every positive-intent statement is a complete contradiction when that article and whitepaper was written the way it was.
I received two emails today "from" SlickWraps support titled "if you're reading this, it's too late." https://i.imgur.com/aVFjR9o.png This is pretty much the definition of irresponsible...
I received two emails today "from" SlickWraps support titled "if you're reading this, it's too late."
Indeed, and that makes this topic really hard to vote on IMO, since voting on it makes me feel like its somehow tacitly approving of the action... when I absolutely don't (and even @noneucat seems...
This is pretty much the definition of irresponsible disclosure.
Indeed, and that makes this topic really hard to vote on IMO, since voting on it makes me feel like its somehow tacitly approving of the action... when I absolutely don't (and even @noneucat seems to feel the same). The potential fallout and tangible harm this completely irresponsible disclosure will likely cause is unpleasant to think about, and clearly it has already started happening. Sorry to hear about your situation, BTW. :(
The original Medium link has been taken down at time of posting. Archive: http://archive.is/yEIJT
While I agree there may have been a mishandling of an attempted disclosure by SlickWraps, the author took some actions that I did not agree with:
Vague communication with the company about the issue
The author writes in the article that one of their first attempts at establishing a line of collection was to send this tweet, which reads: "Hey @ SlickWraps, You failed the vibe check."; I don't believe that this was a meaningful or professional attempt at contacting a company for a disclosure. The tweet is then followed up by this one, which seems to almost egg them on with a screencap of a CSR exchange taken from the hack.
Unnecessary exploration of systems
I believe the author should not have gone any further as soon as they obtained shell & write access. The revenue numbers and statistics posted at the beginning of the article strike me as unnecessary. There is nothing to gain from posting these + countless other pieces of data from the hack (e.g. CSR emails, screencaps of their stack, logs, etc.), as they could have demonstrated the vulnerability through other means (such as a file upload).
Too much information in the disclosure
The article seems to enumerate every single credential/service/item of interest they found or encountered. Consequently, this provides what is essentially a map of internal systems for nefarious third parties who may be interested in exploiting this vulnerability. Publishing this much information about SlickWraps' systems without obtaining consent from the company & confirmation that the vulnerability has been mitigated is irresponsible.
To me, the article seems like some sort of crusade against the company rather than an attempt at responsible disclosure.
Thank you!
This could have been played out so much better to give this "white hat" security researcher some reputability behind their work. They just gave steps behind every single way to access the data, which hasn't even been secured yet. They are equally at fault at this point, and every positive-intent statement is a complete contradiction when that article and whitepaper was written the way it was.
I received two emails today "from" SlickWraps support titled "if you're reading this, it's too late."
https://i.imgur.com/aVFjR9o.png
This is pretty much the definition of irresponsible disclosure. Thankfully I used PayPal to buy my phone skin but I'm definitely a bit irritated.
Indeed, and that makes this topic really hard to vote on IMO, since voting on it makes me feel like its somehow tacitly approving of the action... when I absolutely don't (and even @noneucat seems to feel the same). The potential fallout and tangible harm this completely irresponsible disclosure will likely cause is unpleasant to think about, and clearly it has already started happening. Sorry to hear about your situation, BTW. :(