Really, really, really bad.
Like, ban-it-now-from-your-domain bad.
So: I work in IT. This writeup and opinion is mine, not my employers, but the WeTransfer issues described here are so incredibly, woefully, and stupidly bad they needed called out in public.
Some of our people use WeTransfer.com to send files to each other, but I?ve honestly never looked at the service until this weekend.
After a quick look: sweet jesus on a pogo stick is WeTransfer terrible.
Let?s have a look at WeTransfer?s lack of basic, sane security precautions that make it ripe for abuse as a malware launchpad:
This weekend, a user/victim received a startling email from WeTransfer:
Personal & ID?ing info removed.
In short: someone used WeTransfer.com to upload and distribute a viral .doc file to 15 people, spoofed as being sent from the victim.
This ?Thanks for Using Wetransfer? email ? sent to the purposed original sender ?conveniently thanks them for using the service and provides a nice accounting for everybody about to get wrecked.
It also rubs salt in the wound: as there is no way to remove this upload ? even though the victim controls the account that supposedly sent the file in the first place.
The attachment, of course, was viral, meaning I got to handle cleanup duty.
Meanwhile, during the 13+ hours it took WeTransfer ?support? to respond to this, the victim received numerous ?X has downloaded your file? notification from Wetransfer ? essentially watching their reputation get trashed in real time because WeTransfer hadn?t removed the file.
So: How did this happen? This victim has never used WeTransfer, but since WeTransfer has NO AUTHENTICATION CHECK to verify sender email ownership/legitimacy, it lets fraudsters ?spoof? sender origins.
But don?t take my word for it: Give it a try – go to wetransfer.com, send yourself a file, enter your own email address as the recipient and make up literally whatever email you want up as the sender.
See what I mean?
Bang up job there, guys.
Any sane service would, of course, hold the file?s delivery until a verification link ? sent to the sender?s email address ? was clicked.
WeTransfer does not do this. WTAF guys?
Let?s check the WeTransfer FAQ on this very issue, hilariously titled ?Someone else used my email address, now what?!?
Any email address you want! EVEN BY MISTAKE!
That?s right: EASE OF USE IS A CORE VALUE ? so WeTransfer lets people spoof email addresses.
Literally the only reaction to this.
Issue 2: WeTransfer doesn?t A/V scan any of the files that uploaded to their service.
I mean its not like virustotal.com exists or anything, right?
The file that hit our user was detected by about half of the A/V scanenrs listed on VirusTotal. It could have been caught with a simple hash check.
Issue 3: WeTransfer doesn?t let ?spoofing? victims remove files sent via ?WeTransfer free?? unless they send in a support ticket
Again, via WeTransfer FAQ : ?Can I delete my upload??
?Happiness Troupe?. Sure.
It took WeTransfer support ~13.5 hours to respond to my support request, during which time the victim received notifications that most recipients had downloaded the virus file spoofed from ?their? email.
13.5 hours!
Issue 4: WeTransfer support made some, ah, interesting claims in the support case I sent them:
IF ONLY I HAD SOME WAY TO PROVE AN EMAILS ORIGIN oh wait hey yeah DKIM exists
Everything in yellow is completely untrue. DKIM-verified! The notification emails originated from WeTransfer. The file was hosted and downloaded from WeTransfer.
?Not from out platform?? DKIM begs to differ.
I think you get the point: Got hit with a virus spoofed from our service? Too bad! We?ll just lie to you in a form letter. We have three sets of eyes fixed on misbehavior. THAT?S LIKE SIX WHOLE EYES!
tl,dr:
-WeTransfer lets scammers and fraudsters impersonate senders with no authentication. This would be trivial to fix.
-WeTransfer doesn?t A/V scan any files uploaded, and because of this, acts as a launchpad and distribution point for malware. Another trivial fix.
WeTransfer doesn?t let ?spoofed? victims remove files sent under their email address without engaging WeTransfer support ? which is not a fast process. And, at least in my case, support lied to me about the issue?s origin.
Why is there not a ?Not yours? Click here to delete this file? link in every email?
In short: If I were you, I would ban wetransfer.com from your organization immediately.
