SlickWraps data breach

[Touch My Hamm]

I dont trust smaller online companies with my data. I get things sent to a pickup location and pay using paypal account with a different front name. Most my data online is incorrect on purpose as I enjoy my privacy. 

[greenmax]

2 minutes ago, GodSeph said:

I dont trust smaller online companies with my data. I get things sent to a pickup location and pay using paypal account with a different front name. Most my data online is incorrect on purpose as I enjoy my privacy. 

How do you get a paypal account and use a different front name.

Are you using a PO Box?

[Touch My Hamm]

Just now, greenmax said:

How do you get a paypal account and use a different front name.

Are you using a PO Box?

Correct PO box and Paypal I have my name changed and a first name is pretty common so as long as the account still works the last name changes on cards but not on the website.

[greenmax]

2 minutes ago, GodSeph said:

Correct PO box and Paypal I have my name changed and a first name is pretty common so as long as the account still works the last name changes on cards but not on the website.

Very interesting.

I was watching Youtube last night, on a conman Mr. Aloff and someone mentioned Deed Poll, which was very interesting. https://www.gov.uk/change-name-deed-poll

I know in Lebanon you can change your name easy too.

 

The anonymity part of my data being secure is interesting to me. I use an old telephone number when cashiers ask for a tele #, I dont use email receipts, and I should really start using cash instead of debit/credit cards. So Slickwraps is selling the info for money, that is very desperate.

[rcmaehl]

Quote

The researcher 'disclosed' the hack to Slickwraps — and by 'disclosed,' I mean he said "Hey @SlickWraps, You failed the vibe check" in a public tweet, and then posted screenshots of customer support messages. I don't think that's how vulnerability disclosures work.

Excuse me

 

What

The

Literal
Fuck

Okay so, this "researcher" is extremely irresponsible, provocative, and down right shameful. Based on the medium post, tweet, and among other things, this first contact with Slickwraps was 2/16 with his, subjectively provocative tweet. To put this in perspective, the generally agreed upon wait period for disclosing a vulnerability is 90 DAYS, this guy could barely wait 7 before spilling all the details. This is what is known as Responsible Disclosure and is standard with companies as a such HackerOne and Google Project Zero among others.

During the period between Feb 16 and now, he irresponsibly, and repeatedly, leaked private information to the general public. It should be common sense that a lot of companies use 3rd parties to manage their social media. Leaking that information would not have brought the attention of a sysadmin, unlike things such as breaking APIs, renaming or locking accounts, among other things that do not cause financial, privacy, and integrity loss.

As someone even mildly into the netsec, infosec, and "hacking" community, this "researcher" gives all of us a bad name. This is not how we act. This behavior pushes companies into considering and often times bringing suit against well meaning individuals under the CFAA act. These are felonies and can ruin the life of someone wanting to learn about these processes, protect their own (and others) data, and improve security across the web. I am truly ashamed.

Edited February 21, 2020 by rcmaehl
RANT INSERTED

[colonel_mortis]

The vulnerabilities involved are pretty severe, it's very bad that they were there, and Slickwraps' response looks very poor, but that is not how responsible disclosure works.

 

You don't see how far you can get and how many accounts you can compromise - you stop at finding a remote code execution vulnerability and report it to them.

You don't report an issue by tweeting them with "vibe check", then post a nondescript screenshot of a support ticket with absolutely no mention of the fact that, for example, it isn't your ticket - you make it clear that you've found a critical vulnerability so that it can be triaged appropriately.

You don't report security vulnerabilities through Twitter - you try and find the email of a relevant employee, and if that fails you can try security@, webmaster@, admin@, cto_first_name@, or at the very least tweeting them directly asking them to DM or email you.

[Lurick]

17 minutes ago, colonel_mortis said:

The vulnerabilities involved are pretty severe, it's very bad that they were there, and Slickwraps' response looks very poor, but that is not how responsible disclosure works.

 

You don't see how far you can get and how many accounts you can compromise - you stop at finding a remote code execution vulnerability and report it to them.

You don't report an issue by tweeting them with "vibe check", then post a nondescript screenshot of a support ticket with absolutely no mention of the fact that, for example, it isn't your ticket - you make it clear that you've found a critical vulnerability so that it can be triaged appropriately.

You don't report security vulnerabilities through Twitter - you try and find the email of a relevant employee, and if that fails you can try security@, webmaster@, admin@, cto_first_name@, or at the very least tweeting them directly asking them to DM or email you.

He did try to tweet them directly, according to what I read in the medium post, and asked to be contacted but they had blocked him. On the other hand I fully agree he should have tried more directly ways of contacting them but, if the medium post is/was to be believed they didn't care. Slickwraps eventually did DM him and subsequently blocked him again within 5 minutes again. The irresponsible disclosure though is shameful on the part of the discovering party though 100% agree there. Both parties are in the wrong here and both deserve whatever punishment they get in the end imo, I just wish no customer information got leaked because of the reckless disclosure or lack of willingness to discuss anything either.

 

 

Edit:

Double checked the medium post and he DID email their customer support directly and was ignored.

[RonnieOP]

1 hour ago, GodSeph said:

Correct PO box and Paypal I have my name changed and a first name is pretty common so as long as the account still works the last name changes on cards but not on the website.

But even then PO Box info is not secure.

 

A company can fill out some paperwork and get the info of the owner of the po box.

 

Now im not saying they will do that as its more work. But it is doable.

[Touch My Hamm]

1 minute ago, RonnieOP said:

But even then PO Box info is not secure.

 

A company can fill out some paperwork and get the info of the owner of the po box.

 

Now im not saying they will do that as its more work. But it is doable.

its not 100% no the only way for that is to not give information online. But for the most part this is a great way to block the obvious Put in address and name into random website and use same password as email account lol.

[RonnieOP]

10 minutes ago, GodSeph said:

its not 100% no the only way for that is to not give information online. But for the most part this is a great way to block the obvious Put in address and name into random website and use same password as email account lol.

I agree 100%.

 

Putting in more security is never a bad idea.

 

Anytime you introduce hurdles you reduce the number of threats.

 

[Touch My Hamm]

1 minute ago, RonnieOP said:

I agree 100%.

 

Putting in more security is never a bad idea.

 

Anytime you introduce hurdles you reduce the number of threats.

 

What most non tech people dont understand is any amount of hurdles for people trying to steal data usually stops them as they mostly want the easy money. If they are good enough to get past all the hurdles and work around things they usually hitting much bigger fish then Joe Blow from New York lol. 

[FakeCIA]

I'm gone for 2 hours and this blows up. If you want a good security tip, here is what I do. I have multiple email accounts with Google, Microsoft, and others. The email I use to run my banking account is not even close to the same one that I use to run this forum account. In terms of employment, Adult Swim has a completely different account than the FBI. Never use an account that is connected to financial details or personal details on a public site. Always use 2 factor authentication and have security alerts enabled. One of my classmates for the FBI internship has 10 email accounts. I'm not saying to be paranoid like them, but have something you can quickly ditch in case of a breach. Make dummy accounts for social media and sites you believe to be risky that you can quickly terminate.

[rcmaehl]

Just now, FakeCIA said:

Always use 2 factor authentication

To add on, SMS 2FA is not a secure 2FA method.

[FakeCIA]

1 hour ago, rcmaehl said:

To add on, SMS 2FA is not a secure 2FA method.

Yes. Use an app like Microsoft Authentication where your device itself is the key. There are also other ways, but having something where an individual device is the password itself is best. I have a backup phone in case mine fails or is stolen. There are also physical security keys that are available in USB-C, USB 3.0, and Micro USB. Those work too, but can be lost easily if they are on a keychain. I find that the best ones come from Microsoft and Google. You can also turn a standard thumb drive into a security key with an option in Windows 10 Pro.

[justpoet]

The part about backing up user submitted pornographic images separately was pretty telling of the reputability of the company.

[SansVarnic]

-= Topic Moved to General Discussion =-

Topic does not meet requirements of a Tech News topic.