WeTransfer sends user file links to wrong people

Popular file transfer service WeTransfer faces embarrassment this week after admitting that it has mailed file links to the wrong users.

Founded in 2009, WeTransfer enables users to transfer large files between each other for free. It’s an alternative to email services, which typically place limitations on file size. It has 50 million users sending a billion files each month, amounting to a Petabyte (1,000 Terabytes) of data.

The service, which became profitable in 2013, provides its free version through an advertising model. It also offers a paid ‘Plus’ service that lets users password protect their files.

On 21 June 2019 WeTransfer posted a security notice warning of an incident it had discovered five days earlier on Monday 17 June 2019.

The issue began on 16 June 2019, the notice said, adding:

e-mails supporting our services were sent to unintended e-mail addresses. We are currently informing potentially affected users and have informed the relevant authorities.

WeTransfer had blocked the links and logged users out of their accounts, it said.

The same day that the security notice appeared, Jamie Brown, CEO of fashion site Chicmi, tweeted a direct notification that WeTransfer had sent him:

The scary part:

We have learned that a transfer you sent or received was also delivered to some people it was not meant to go to. Our records show that these files have been accessed, but almost certainly by the intended recipient.

“Almost certainly” won’t exactly fill people with confidence.

Brown told Naked Security that the incident affected a batch of photos that a client had sent him on 16 June 2019. He added:

Thankfully we mostly use WeTransfer for sending and receiving brand photos for use on Chicmi.com – so they’re mostly heading into the public domain anyway, and the worst that might happen is an embargo being broken for an upcoming event.

However I’m sure others are not so relaxed about it, bearing in mind the way the service is used!

Rival service Tresorit was quick to jump on the incident:

In the recent #WeTransfer security incident, they were sending user files to the wrong recipients for two days. This wouldn't have happened if they used end-to-end encryption (see thread).

— Tresorit (@Tresorit) June 24, 2019

While it’s obviously trying to promote its own service, it has a point. End-to-end encryption would stop anyone other than the sender and recipient of a file from seeing it. It would need to be done correctly, though.

The problem with password protecting files is that it’s a form of symmetric encryption, where the sender and recipient of a file use the same secret to access the file. The sender can’t securely send the secret and the file via the same channel because an eavesdropper could intercept both the file and the secret. Instead, they either need to meet in person to share the secret, or share it through an alternative channel like a text message or phone call. This creates its own security and usability issues.

Asymmetric (public key) cryptography is more complex but also more secure because it uses two digital keys for each user – a private (secret) one that is never sent via any channel, and a public (non-secret) one.

The sender of a file uses the recipient’s public key (viewable by anyone) to encrypt it. Only the recipient’s private key can decrypt it. As long as the recipient keeps their private key safe, they can read a message encoded with their public key while keeping it away from eavesdroppers.

As a bonus, the sender can also prove their own identity by encoding the file with their private key as well. Then, the recipient must go through an extra step, decrypting the message with the sender’s public key. That proves that only the sender could have sent the message, rather than an imposter.

The challenge with asymmetric encryption is creating a product that is easy enough to use and hides all that complexity from the user. The upside is that even if the file transfer service messes up and sends your files to the wrong person, they won’t be readable.

As it stands, the free version of WeTransfer doesn’t protect its files with any secrets at all, which is why the email misfire is so problematic.

There are alternative free services offering end-to-end encryption, such as Mozilla’s Firefox Send, officially launched in March 2019 after a two-year test period. This uses the Web Crypto API, which employs asymmetric encryption. It allows you to send files 2.5Gb in size if you have a Firefox account, or 1Gb if you don’t.

WeTransfer declined to answer our questions about the incident yesterday, referring us instead to the security notice on its site.