WeTransfer sends user file links to wrong people

Popular file transfer service WeTransfer faces embarrassment this week after admitting that it has mailed file links to the wrong users.

Founded in 2009, WeTransfer enables users to transfer large files between each other for free. It’s an alternative to email services, which typically place limitations on file size. It has 50 million users sending a billion files each month, amounting to a Petabyte (1,000 Terabytes) of data.

The service, which became profitable in 2013, provides its free version through an advertising model. It also offers a paid ‘Plus’ service that lets users password protect their files.

On 21 June 2019 WeTransfer posted a security notice warning of an incident it had discovered five days earlier on Monday 17 June 2019.

The issue began on 16 June 2019, the notice said, adding:

e-mails supporting our services were sent to unintended e-mail addresses. We are currently informing potentially affected users and have informed the relevant authorities.

WeTransfer had blocked the links and logged users out of their accounts, it said.

The same day that the security notice appeared, Jamie Brown, CEO of fashion site Chicmi, tweeted a direct notification that WeTransfer had sent him:

The scary part:

We have learned that a transfer you sent or received was also delivered to some people it was not meant to go to. Our records show that these files have been accessed, but almost certainly by the intended recipient.

“Almost certainly” won’t exactly fill people with confidence.

Brown told Naked Security that the incident affected a batch of photos that a client had sent him on 16 June 2019. He added:

Thankfully we mostly use WeTransfer for sending and receiving brand photos for use on Chicmi.com – so they’re mostly heading into the public domain anyway, and the worst that might happen is an embargo being broken for an upcoming event.

However I’m sure others are not so relaxed about it, bearing in mind the way the service is used!

Rival service TresorIT was quick to jump on the incident:

While it’s obviously trying to promote its own service, it has a point. End-to-end encryption would stop anyone other than the sender and recipient of a file from seeing it. It would need to be done correctly, though.

from Naked Security – Sophos http://bit.ly/2YbE73R