Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×
Security Facebook Privacy Software Your Rights Online

Serious Password Reset Hole In Accellion Secure FTP 27

Posted by Soulskill
from the how-to-annoy-other-users dept.
chicksdaddy writes "A security researcher who was looking for vulnerabilities in Facebook's platform instead stumbled on a much larger hole that could affect scores of firms who rely on a secure file transfer platform from Accellion. Writing on his blog on Monday, Israeli researcher Nir Goldshlager said he discovered the password reset vulnerability while analyzing a Accellion deployment that is used, internally, by Facebook employees. Goldshlager used public knowledge of the Accellion platform to access a hidden account creation page for the Facebook deployment and create a new Facebook/Accellion account linked to his e-mail address. After analyzing Accellion's password reset feature, he realized that — with that valid account — he could reset the password of any other Facebook/Accellion user with some cutting and pasting and a simple HTTP POST request, provided he knew the user's login e-mail address — effectively hijacking the account. Goldshlager said he informed Facebook and that the hole has been patched by Facebook and Accellion. However, other Accellion customers using private cloud deployments of the product could still be vulnerable."
This discussion has been archived. No new comments can be posted.

Serious Password Reset Hole In Accellion Secure FTP

Comments Filter:

What is worth doing is worth the trouble of asking somebody to do.

Working...