Serious Password Reset Hole In Accellion Secure FTP

chicksdaddy writes "A security researcher who was looking for vulnerabilities in Facebook's platform instead stumbled on a much larger hole that could affect scores of firms who rely on a secure file transfer platform from Accellion. Writing on his blog on Monday, Israeli researcher Nir Goldshlager said he discovered the password reset vulnerability while analyzing a Accellion deployment that is used, internally, by Facebook employees. Goldshlager used public knowledge of the Accellion platform to access a hidden account creation page for the Facebook deployment and create a new Facebook/Accellion account linked to his e-mail address. After analyzing Accellion's password reset feature, he realized that — with that valid account — he could reset the password of any other Facebook/Accellion user with some cutting and pasting and a simple HTTP POST request, provided he knew the user's login e-mail address — effectively hijacking the account. Goldshlager said he informed Facebook and that the hole has been patched by Facebook and Accellion. However, other Accellion customers using private cloud deployments of the product could still be vulnerable."

Re:

[Anonymous Coward]

Never trust a dolphin.

Kudos to Facebook!

[tekrat]

Facebook and the vendor patched the vulnerability... That's a first, usually the first response by any large corporation to being informed of a security hole is to either have the researcher arrested or sue the researcher. And then quietly hope no one else finds the hole...

Re:Kudos to Facebook!

[dmomo]

Well, that's the case when the customers of the large corporation are the ones at risk. Here it is the large corporation who took action because it was them who were vulnerable. So, your old cynical view still stands!

Re:

[nthitz]

Comeon... Some companies do indeed do that, but Facebook has a history completely opposite of what you describe (wrst to responsible disclosure) http://www.facebook.com/whitehat/bounty/ [facebook.com]

"Private cloud deployment"?

[sloth10k]

You mean, like, I have their software installed on my server?

Re:

[VortexCortex]

Imagine a perfectly spherical volume of hot air...

Famous last words?

[godel_56]

Did you notice his final line in TFA

"Soon i will publish OAuth bypass in Facebook.com, Cya Next time!,"

Real or not? That would really stir things up.

Re:

[TheLink]

I wouldn't be surprised if that's true.

Especially when this bug existed: http://chingshiong.blogspot.co.uk/2013/01/facebook-bug-4-password-reset.html [blogspot.co.uk]
Which I think is more notable than a bug in Accellion (which I have never heard of, nor from what I've seen will ever want to use).

Re:

[egcagrac0]

We have a winner. The product is apparently grossly misnamed.

For real?

[pclminion]

Hey, I know -- let's pass the UID of the account which is being reset, in the URL which the attacker has control over. That's the ticket.

Vulnerability patched 2 major version ago

[Shurshacker]

Accellion patched this vulnerability in version FTA_9_1_x (September?). They're currently on version FTA_9_3_1.

Re:

[Shurshacker]

This was all they found/patched with that security fix. From the Accellion engineer (Oh, and it was back in March)... "20-March-2012 FTA_9_1_166 Security Fix: The release fixes a vulnerability on the password update page."

Who would have thought?

[dbIII]

Somebody managed to fuck up a version of FTP so badly it ended up as insecure as DropBox.

Re:

[Shurshacker]

Good thing it ain't FTP. ;)

Re:

[account_deleted]

Comment removed based on user account deletion