Slickwraps, a store for creating custom “skins” for mobile devices, consoles and more have recently alerted customers to a data breach. After finding a path traversal vulnerability with the image uploader used for designing skins, Twitter user @Lynx0x00 (whose account seems to have been deleted at the time of this writing) claimed that he was able to gain full access to the Slickwraps site. Lynx0x00 had full access to employee resumes, photos uploaded by customers, the Zendesk customer support system, API credentials and personal customer information such as hashed passwords, shipping addresses, and transaction histories. When trying to report the vulnerability to Slickwraps, Lynx0x00 claimed that the company ignored multiple attempts to reach out and instead blocked him. To make matters worse, shortly after publishing a blog post on Medium about the details of the vulnerability, an unknown actor mass emailed Slickwrap customers with an ominous-looking message that linked to the blog post by the researcher. The email contained an edited version of the Slickwraps logo with the word “HACKED” over it and started with the message “If you’re reading this it’s too late, we have your data.” On February 21st, Slickwraps notified customers and posted a public statement on their Twitter account to acknowledge the breach.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in