WeTransfer sends user file links to wrong people
Popular file transfer service WeTransfer faces embarrassment this week after admitting that it has mailed file links to the wrong users.
Founded in 2009, WeTransfer enables users to transfer large files between each other for free. It’s an alternative to email services, which typically place limitations on file size. It has 50 million users sending a billion files each month, amounting to a Petabyte (1,000 Terabytes) of data.
The service, which became profitable in 2013, provides its free version through an advertising model. It also offers a paid ‘Plus’ service that lets users password protect their files.
On 21 June 2019 WeTransfer posted a security notice warning of an incident it had discovered five days earlier on Monday 17 June 2019.
The issue began on 16 June 2019, the notice said, adding:
e-mails supporting our services were sent to unintended e-mail addresses. We are currently informing potentially affected users and have informed the relevant authorities.
WeTransfer had blocked the links and logged users out of their accounts, it said.
The problem with password protecting files is that it’s a form of symmetric encryption, where the sender and recipient of a file use the same secret to access the file. The sender can’t securely send the secret and the file via the same channel because an eavesdropper could intercept both the file and the secret. Instead, they either need to meet in person to share the secret, or share it through an alternative channel like a text message or phone call. This creates its own security and usability issues.
Asymmetric (public key) cryptography is more complex but also more secure because it uses two digital keys for each user – a private (secret) one that is never sent via any channel, and a public (non-secret) one.
The sender of a file uses the recipient’s public key (viewable by anyone) to encrypt it. Only the recipient’s private key can decrypt it. As long as the recipient keeps their private key safe, they can read a message encoded with their public key while keeping it away from eavesdroppers.
As a bonus, the sender can also prove their own identity by encoding the file with their private key as well. Then, the recipient must go through an extra step, decrypting the message with the sender’s public key. That proves that only the sender could have sent the message, rather than an imposter.
The challenge with asymmetric encryption is creating a product that is easy enough to use and hides all that complexity from the user. The upside is that even if the file transfer service messes up and sends your files to the wrong person, they won’t be readable.
As it stands, the free version of WeTransfer doesn’t protect its files with any secrets at all, which is why the email misfire is so problematic.
There are alternative free services offering end-to-end encryption, such as Mozilla’s Firefox Send, officially launched in March 2019 after a two-year test period. This uses the Web Crypto API, which employs asymmetric encryption. It allows you to send files 2.5Gb in size if you have a Firefox account, or 1Gb if you don’t.