Updated to include response from Accellion. 1/9/2013
A security researcher who was looking for vulnerabilities in Facebook’s platform instead stumbled on a much larger hole that could affect scores of firms who rely on a secure file transfer platform from Accellion.
Writing on his blog on Monday, Israeli researcher Nir Goldshlager said he uncovered a security hole affecting Accellion’s Secure File Transfer service that could allow an attacker to take control of a user’s Secure File Transfer account with little more than the e-mail address associated with the account.
Accellion Secure File Transfer is a service that allows enterprises to offer secure transfer and storage of large files (up to 100GB). In contrast to consumer-focused services like DropBox, Accellion offers comprehensive file tracking and reporting as well as data security features necessary to satisfy government regulations like HIPAA, GLBA, and SOX. Secure File Transfer is offered to companies as a private cloud, public cloud or hybrid offering.
Goldshlager said he discovered the password reset vulnerability while analyzing a private deployment of Accellion that is used, internally, by Facebook employees. Goldshlager used public knowledge of the Accellion platform to access an account creation page for the Facebook deployment and create a new account linked to his e-mail address.
You might also be interested in “Profile Poisoning The Next Frontier for Hackers.”
In an e-mail exchange with The Security Ledger, Goldshlager said that he has reported security vulnerabilities to Facebook before, as part of that company’s Bug Bounty Program.
He then analyzed files from a Accellion virtual image and discovered a serious security lapse in the platform’s password reset feature. Anyone with knowledge of a legitimate account could manipulate the feature and reset the password for the account linked to that e-mail to one of their choosing. Attackers would only need to manipulate the information sent to Accellion in a HTTP POST request to make the change, he discovered.
Goldshlager reported the password reset bypass to Facebook’s security team, which passed it along to Accellion. As of Monday, Goldshlager said both Facebook’s internal file sharing installation and Accellion’s software have been patched, though it’s unclear whether all Accellion customers are covered by the fix.
E-mail messages sent to Accellion and Facebook by The Security Ledger were not immediately returned. On Wednesday, Accellion posted a note on its support site, updating customers about the flaw. According to that post, the incident was first detected and reported on March 19, 2012. Accellion removed the password reset hole at the time with its 9_1_166 software release on Mar 20, 2012. Customers running that version of the company’s software are protected. Those running earlier versions of the software are vulnerable and are instructed to “upgrade immediately.”
In the meantime, Goldshlager made a demonstration video of his exploit, which was published on YouTube:
File sharing services are no stranger to security issues. In just the last year, DropBox was the target of an attack that compromised a small number of user accounts. Accellion markets itself as an alternative to consumer-focused file transfer and sharing services for security conscious organizations facing regulatory scrutiny.