Update: Plumbing Facebook, Researcher Finds Hole In Secure File Transfer Platform

Updated to include response from Accellion. 1/9/2013

A security researcher who was looking for vulnerabilities in Facebook’s platform instead stumbled on a much larger hole that could affect scores of firms who rely on a secure file transfer platform from Accellion.

Writing on his blog on Monday, Israeli researcher Nir Goldshlager said he uncovered a security hole affecting Accellion’s Secure File Transfer service that could allow an attacker to take control of a user’s Secure File Transfer account with little more than the e-mail address associated with the account.

Facebook File Transfer

Accellion Secure File Transfer is a service that allows enterprises to offer secure transfer and storage of large files (up to 100GB). In contrast to consumer-focused services like DropBox, Accellion offers comprehensive file tracking and reporting as well as data security features necessary to satisfy government regulations like HIPAA, GLBA, and SOX. Secure File Transfer is offered to companies as a private cloud, public cloud or hybrid offering.

Goldshlager said he discovered the password reset vulnerability while analyzing a private deployment of Accellion that is used, internally, by Facebook employees. Goldshlager used public knowledge of the Accellion platform to access an account creation page for the Facebook deployment and create a new account linked to his e-mail address.

You might also be interested in “Profile Poisoning The Next Frontier for Hackers.”

In an e-mail exchange with The Security Ledger, Goldshlager said that he has reported security vulnerabilities to Facebook before, as part of that company’s Bug Bounty Program.

He then analyzed files from a Accellion virtual image and discovered a serious security lapse in the platform’s password reset feature. Anyone with knowledge of a legitimate account could manipulate the feature and reset the password for the account linked to that e-mail to one of their choosing. Attackers would only need to manipulate the information sent to Accellion in a HTTP POST request to make the change, he discovered.

Goldshlager reported the password reset bypass to Facebook’s security team, which passed it along to Accellion. As of Monday, Goldshlager said both Facebook’s internal file sharing installation and Accellion’s software have been patched, though it’s unclear whether all Accellion customers are covered by the fix.

E-mail messages sent to Accellion and Facebook by The Security Ledger were not immediately returned. On Wednesday, Accellion posted a note on its support site, updating customers about the flaw. According to that post, the incident was first detected and reported on March 19, 2012. Accellion removed the password reset hole at the time with its 9_1_166 software release on Mar 20, 2012. Customers running that version of the company’s software are protected. Those running earlier versions of the software are vulnerable and are instructed to “upgrade immediately.”

In the meantime, Goldshlager made a demonstration video of his exploit, which was published on YouTube:

File sharing services are no stranger to security issues. In just the last year, DropBox was the target of an attack that compromised a small number of user accounts. Accellion markets itself as an alternative to consumer-focused file transfer and sharing services for security conscious organizations facing regulatory scrutiny.

5 Comments

  1. I just called an Accellion engineer (I’m corp IT staff and I manage an Accellion Secure File system) and he confirmed they patched this vulnerability in version update FTA_9_1_x (September?). They’re currently on FTA_9_3_1.

  2. Thanks, Greg. I have an e-mail out (to their CEO no less, who I was once on a panel with), but haven’t had any response despite multiple attempts to get more info on how and when it was patched. Any idea if private cloud customers could still be vulnerable, or would they all be running FTA_9_3_1 ?

  3. This incident actually happened back in March 2012, and has already been patched by Accellion.

    Accellion resolved and patched this issue within one day of it being reported to them (by the security researcher and Facebook).

    The patch was issued with the 9_1_166 release on Mar 20, 2012. Any customers on release version 9_1_166 or later are safe from this reported issue.

    • Do we know that all customers have upgraded their private cloud deployments to 9_1_166 or later and that they were informed of the serious security hole in earlier versions of the platform?