8 votes

Security researcher hacks SlickWraps, publishes a disclosure

6 comments

  1. [3]
    noneucat
    Link
    The original Medium link has been taken down at time of posting. Archive: http://archive.is/yEIJT While I agree there may have been a mishandling of an attempted disclosure by SlickWraps, the...

    The original Medium link has been taken down at time of posting. Archive: http://archive.is/yEIJT

    While I agree there may have been a mishandling of an attempted disclosure by SlickWraps, the author took some actions that I did not agree with:

    1. Vague communication with the company about the issue
      The author writes in the article that one of their first attempts at establishing a line of collection was to send this tweet, which reads: "Hey @ SlickWraps, You failed the vibe check."; I don't believe that this was a meaningful or professional attempt at contacting a company for a disclosure. The tweet is then followed up by this one, which seems to almost egg them on with a screencap of a CSR exchange taken from the hack.

    2. Unnecessary exploration of systems
      I believe the author should not have gone any further as soon as they obtained shell & write access. The revenue numbers and statistics posted at the beginning of the article strike me as unnecessary. There is nothing to gain from posting these + countless other pieces of data from the hack (e.g. CSR emails, screencaps of their stack, logs, etc.), as they could have demonstrated the vulnerability through other means (such as a file upload).

    3. Too much information in the disclosure
      The article seems to enumerate every single credential/service/item of interest they found or encountered. Consequently, this provides what is essentially a map of internal systems for nefarious third parties who may be interested in exploiting this vulnerability. Publishing this much information about SlickWraps' systems without obtaining consent from the company & confirmation that the vulnerability has been mitigated is irresponsible.

    To me, the article seems like some sort of crusade against the company rather than an attempt at responsible disclosure.

    8 votes
    1. [2]
      Keegan
      Link Parent
      I changed the link to the archive you posted. I'll change it back if it goes back up, which I don't have much hope for.

      I changed the link to the archive you posted. I'll change it back if it goes back up, which I don't have much hope for.

      1 vote
  2. Shahriar
    Link
    This could have been played out so much better to give this "white hat" security researcher some reputability behind their work. They just gave steps behind every single way to access the data,...

    This could have been played out so much better to give this "white hat" security researcher some reputability behind their work. They just gave steps behind every single way to access the data, which hasn't even been secured yet. They are equally at fault at this point, and every positive-intent statement is a complete contradiction when that article and whitepaper was written the way it was.

    7 votes
  3. [2]
    jcdl
    Link
    I received two emails today "from" SlickWraps support titled "if you're reading this, it's too late." https://i.imgur.com/aVFjR9o.png This is pretty much the definition of irresponsible...

    I received two emails today "from" SlickWraps support titled "if you're reading this, it's too late."

    https://i.imgur.com/aVFjR9o.png

    This is pretty much the definition of irresponsible disclosure. Thankfully I used PayPal to buy my phone skin but I'm definitely a bit irritated.

    6 votes
    1. cfabbro
      (edited )
      Link Parent
      Indeed, and that makes this topic really hard to vote on IMO, since voting on it makes me feel like its somehow tacitly approving of the action... when I absolutely don't (and even @noneucat seems...

      This is pretty much the definition of irresponsible disclosure.

      Indeed, and that makes this topic really hard to vote on IMO, since voting on it makes me feel like its somehow tacitly approving of the action... when I absolutely don't (and even @noneucat seems to feel the same). The potential fallout and tangible harm this completely irresponsible disclosure will likely cause is unpleasant to think about, and clearly it has already started happening. Sorry to hear about your situation, BTW. :(

      5 votes