• Companies signup for WeTransfer Plus and get a custom subdomain with their branding or logo, and custom branded email templates
  • But anyone can upload files to the company’s account without any verification – a phishing and social engineering goldmine
  • Anonymous uploads can be shared online using the company’s URL, branding, or logo
  • Malicious uploaders can have WeTransfer send their upload via email, using the company’s branding and logo if enabled, which links to the file hosted on the company’s subdomain
  • Files uploaded to a company’s WeTransfer Plus account aren’t listed in their profile, so they’ll never know – and won’t be able to delete malicious uploads being hosted at their branded subdomain
  • WeTransfer already knew about these vulnerabilities, and won’t commit to a resolution timeline

15 FEB 2018

WeTransfer did not think things through while creating their premium file transfer service. At USD $12 a month, companies get a unique subdomain (e.g. examplecorp.wetransfer.com), and the ability to put their company’s branding and logos on their upload/download interface and file transfer email notifications.

But while companies may expect that only their colleagues and clients will use this custom-branded upload portal, it’s actually open to anyone. Without any verification, anyone can use a company’s WeTransfer Plus URL to upload, send, and host files, which will appear as being from that company. Uploaded files can be emailed to anyone–inside or outside the company–and the recipient can receive an email with the company’s branding and a link to download the file at the company’s URL (a custom subdomain) with the company’s branding or logo, even though nobody at the company authorized it.

WeTransfer’s advertising material discloses the existence of an upload portal for Adidas, which has the Adidas name in the URL, Adidas branding, and the Adidas logo. But you don’t have to work at Adidas to upload a file and send it to others from the official Adidas subdomain, and with Adidas branding. Anyone can upload a file and obtain a link at that Adidas URL, making the file appear as though it was uploaded by an Adidas employee.

Because anyone can transfer a file through the company’s upload interface, WeTransfer is a goldmine for social engineering and phishing attacks. A malicious person could impersonate someone from the company, adding the appearance of authenticity through emails and download links having company branding. If a file is sent by email, WeTransfer Plus will accept any ‘To’ or ‘From’ email address, without any verification, though the company says you can manually request that your email be blocked as a sender.

(For the rest of this post, I’ll reference a fictitious company ExampleCorp and a fictitious WeTransfer Plus URL examplecorp.wetransfer.com. But it could be any company.)

Visiting examplecorp.wetransfer.com and typing in “fake_ceo@example.com” as the sender results in WeTransfer sending an email with subject line “fake_ceo@example.com sent you files via WeTransfer.” The email was branded with ExampleCorp’s banner image, and links the recipient to ExampleCorp’s authentic subdomain. But despite appearing to be from ExampleCorp, nobody at ExampleCorp sent this file.

Companies can disable email branding (the banner image), but links are still sent using the company’s unique subdomain, which can have the company’s branding and logo.

Files uploaded through examplecorp.wetransfer.com don’t necessarily have to be emailed, as WeTransfer allows anonymous uploaders to switch into ‘Link’ mode. After uploading a file anonymously, a malicious user will receive a download link that can be shared online with others, which begins with https://examplecorp.wetransfer.com, with ExampleCorp’s visual branding. This would be an easy way for a malicious person to distribute malware appearing to be from ExampleCorp, or to attempt to tarnish ExampleCorp’s brand through the sharing of repulsive imagery distributed with ExampleCorp’s URL, branding, and logo.

WeTransfer makes it impossible for companies to know about files being hosted with their branding and subdomain

All of the above issues are bad enough, but then there’s the issue of detection. I initially assumed that anything uploaded to ExampleCorp’s account and using examplecorp.wetransfer.com would be visible to ExampleCorp. But alarmingly, that’s not the case. Nobody at ExampleCorp, including the WeTransfer Plus account owner, receives any form of email or notification about uploads on their custom URL, unless their email address is in the ‘To’ field on the upload.

Worse yet, WeTransfer allows files to continue to be hosted on examplecorp.wetransfer.com using ExampleCorp’s branded download page without any visibility to ExampleCorp. If the account administrator visits the ‘Transfers’ page while logged into their account, it only lists files they have uploaded themselves. In other words, WeTransfer Plus allows anyone to host files using your company’s branding and logo, and your company’s URL, and you have no way of finding out about it.

WeTransfer knew about this problem, and did nothing. Their help center addresses the question “My transfer overview doesn’t show all my transfers?” with the response, “Transfers sent from your Profile by somebody else or sent from the free service won’t show up in your transfer overview.”

WeTransfer misleadingly claims that adding a default recipient to your company’s WeTransfer Plus account will lock transfers down to only come to you, which would solve most of the concerns described here. But it doesn’t work. WeTransfer’s FAQ describes this feature in three places: that adding a default recipient will “allow [uploaders] to send you, and only you” files, and that “the option to add a default recipient email address . . . will allow anyone you send to your Plus Profile to send 20GB to you and only you,” and that “Once you add your email address as a default recipient, anyone visiting your Profile will be able to send 20GB to that email address (and only that address).

I tested this, and it’s not true. After adding a default recipient, examplecorp.wetransfer.com was pre-filled with my email address–the administrator on the account–but it was simple to just delete that address from the ‘To’ field and put in someone else’s email address. Also, the ability to upload and obtain a “https://examplecorp.wetransfer.com/…” download link–rather than send an email transfer–was still operational. On this specific issue, WeTransfer told me via email that the ability to delete the default recipient is “intentional” and that “[i]t’s not meant to lock down the profile,” despite what their FAQs say.

Here’s the process showing a default recipient being removed by simply clicking ‘X’, allowing the company’s custom-branded portal to be used to send files to anyone, using the company’s branded emails and download links:

WeTransfer also says WeTransfer Plus URLs allow others to “instantly send you up to 20GB” and that “[o]nly you will be able to see your transfer history and you can decide who downloads your files” (emphasis added). That’s false.

WeTransfer policies don’t allow companies to delete files uploaded by others and being hosted on their branded download page

Despite having addressed why it’s unlikely a company would become aware of their WeTransfer Plus page being used inappropriately, let’s say they do find out that someone has uploaded a malicious file, and it’s currently being hosted on examplecorp.wetransfer.com using ExampleCorp’s logo and branding. How do you stop it? The answer is complicated, as it appears to be a gap in WeTransfer’s policies. Because the upload was made by an unauthenticated user, WeTransfer treats the file as though it was uploaded using WeTransfer’s free service; it’s the uploader’s property and not ExampleCorp’s in WeTransfer’s eyes, even though the file was uploaded and continues to be hosted using ExampleCorp’s subdomain and logo branding.

There’s no portal or automated process to find or remove these files. WeTransfer’s deletion policy states, “You can’t delete a transfer yourself if you’ve used the free service. However, our Happiness Troupe is happy to assist with deleting a transfer as an exception for you.” The policy goes on to list requirements, including that “[y]ou have to be the sender of the transfer and you must send us a request from the email address you used to make the transfer” and “[y]ou need the confirmation you received when you completed your upload.” Obviously, ExampleCorp isn’t going to have any of this information if they didn’t send the file. But I tested the process anyway, by uploading a file and then asking WeTransfer to remove it. It took WeTransfer five hours to respond, only to ask me to provide more information. I provided the requested information, and WeTransfer took another eight-and-a-half hours to respond, all while my upload remained online.

But that’s the process for files that are sent via email. If the uploader requests a link, instead of sending an email, WeTransfer won’t delete the file. According to their policy, “There’s no way to get rid of link transfers if you’re using the free service. Once you complete an upload, you’ll have to wait until the transfer expires. That means the regular 7 days apply.” This is yet another gap in policy, because link uploads made via examplecorp.wetransfer.com are actually given a longer retention period of four weeks, as can be seen in the first screenshot of this post.

It is questionable that WeTransfer Plus is configured such that ExampleCorp will not find out about files sent and hosted using their subdomain and branding; that policy gaps don’t cover deletion needs; and that WeTransfer response times to support requests are so slow. A malicious or brand-tarnishing file being hosted on a company’s custom subdomain, served with their branding and logo, constitutes an emergency. But WeTransfer took 13 hours to handle a deletion request, and their support response goal is even longer: 24 hours. WeTransfer’s website does not list a support phone number. I was able to locate a phone number associated with WeTransfer in the Netherlands, but multiple calls during business hours in both the U.S. and the Netherlands went straight to an answering service.

WeTransfer’s terms of service make anonymous uploads onto a company’s branded portal the uploader’s property, and not the company’s

When you visit examplecorp.wetransfer.com to upload or download a file, you must agree to WeTransfer’s terms of service to continue. Companies signing up for WeTransfer must also agree to those terms of service.

The terms of service reflect yet another gap in policy. It separates the WeTransfer Regular service (wetransfer.com), which allows anyone to upload files, and the WeTransfer Plus service (examplecorp.wetransfer.com), which–well, also allows anyone to upload files. It appears the WeTransfer Plus terms are written for the account owner (ExampleCorp) and not the uploader, because it discusses how subscriptions, cancellation, and billing works. So, people visiting examplecorp.wetransfer.com are not Plus users, despite being on a Plus account’s upload portal; they are WeTransfer Regular users.

Thus, the terms of service appear to actually give anyone permission to upload files on examplecorp.wetransfer.com, even though they have no affiliation with ExampleCorp, aren’t sending files to ExampleCorp, and are not the subscription holder. Moreover, according to WeTransfer’s terms, WeTransfer promises confidentiality between the sender and recipient, prohibiting WeTransfer from disclosing to ExampleCorp that anyone uploaded a file to examplecorp.wetransfer.com unless the sender put in ExampleCorp’s contact information.

Of course, WeTransfer’s terms do prohibit uploading illegal files, hate speech, impersonation, and so on. But is hosting a file on examplecorp.wetransfer.com–if you claim no affiliation to ExampleCorp in your words–illegal or impersonating? It doesn’t appear so to me.

The terms of service also include a requirement that users “always respect and observe the good name and reputation of WeTransfer” and include broad limitation of liability and indemnification clauses. To quote WeTransfer’s website, “If you choose to use our service, that’s at your own risk.”

Branded email notifications build trust… for impersonators and phishing attacks

In a blog post discussing the implementation of branded email notifications on WeTransfer Plus accounts, a WeTransfer product designer wrote, “Four very important cornerstones of WeTransfer are the super easy upload, the fast download, our wallpapers and the emails we send out.” For a file transfer service, I’m surprised security isn’t one of those cornerstones.

WeTransfer specifically wrote that the purpose of branded email notifications is to build trust with recognizable brand elements:

“This means it’s easier to recognize your transfers when people receive them, and it gives the emails much more character. In this way you build more trust between the sender and receiver because you can create an ecosystem of recognizable brand elements with your download page and emails. I think one of the biggest achievements for a platform like WeTransfer is that people trust you.”

But if anyone can use a company’s upload portal and send emails from anyone to anyone using the company’s branding, that trust can be abused for the benefit of malicious actors and phishing attacks. I’ll note again that branded emails can be disabled, but WeTransfer inadequately describes to their users the risks of enabling them.

WeTransfer’s FAQs address the issue of your email address being used without permission, but their answer is bizarre. On an FAQ page titled “Someone else used my email address, now what?!” WeTransfer states, “Our ease of use is a core value, that’s why we allow our users to enter any email address they want. This sometimes has the effect you are experiencing, where someone else uses your email address. Most likely even by mistake! This can happen when you’ve used our service on a public computer, or at work, for example. You can easily avoid this by cleaning out your cache or cookies . . .” This answer fails to address the seriousness of forgery and impersonation that WeTransfer is facilitating, and provides a completely unhelpful solution in suggesting users clear their cache. Clearing your cache will do nothing to stop someone else from impersonating you online.

WeTransfer does address impersonation in more detail on their “Phishing attempts and weird WeTransfer imitations” page, which severely misses the mark. WeTransfer acknowledges the risks of phishing and malware, but suggests the risk can be mitigated through making sure the download link actually brings you to WeTransfer, that the email came from someone you now, that the layout of the email isn’t unusual, and so on. All of these mitigation factors fail because the issue discussed here is not that others are creating fake WeTransfer emails; the emails are real emails that WeTransfer actually sent because someone unauthorized is able to transfer files without authentication or verification using the company’s WeTransfer URL.

Impersonation and phishing through WeTransfer isn’t just a possibility. In a blog post from over two years ago, a company describes their CEO getting an email that appeared to be from their attorney, but wasn’t. It was a genuine WeTransfer email, and the download link led to WeTransfer-hosted malware, according to the post.

WeTransfer’s response: responsible disclosure run-around

I believe in responsible disclosure, the practice of alerting a company to security issues, and giving them a chance to fix it before telling the world. In this case, it’s clear WeTransfer already knew about the problems based on their FAQ specifically addressing the issues of impersonation, lack of verification, missing transfers, and so on. But, I wanted to give them a chance. So I turned to WeTransfer’s responsible disclosure policy. It’s awesome they have one, but actually… they have three. Each with conflicting information and contact email addresses.

  • Policy #1: On WeTransfer’s Responsible Disclosure Policy page, WeTransfer states that they will respond within five business days, stating that reports must be submitted to a third-party service called Zerocopter. They don’t limit the scope of reports in any way. They provide the generic support email address support@wetransfer.com for any questions.
  • Policy #2: On the Zerocopter form for reporting security issues, there’s yet another policy, which states that issues surrounding inadequate policies, the lack of email verification and authentication, the ability to upload malicious files, susceptibility to social engineering attacks, and WeTransfer’s potential failures to adhere to best practices are all “out of scope.” And while this policy states that it’s okay to send anonymous or pseudonymous reports, you are also required to agree to Zerocopter’s terms, which require agreement with a non-disclosure clause, indemnification, and consent to an “ID verification check” and “background check.” No thanks. This website provides a different email address for questions: security@wetransfer.com.
  • Policy #3: WeTransfer has another different responsible disclosure policy, which states that they’ll respond within 24 hours (instead of five days), providing stronger legal protection for the reporter, with a far greater scope. The policy requests that reports be GPG-encrypted, but doesn’t provide a public key. This policy provides yet another email address: secureforsure@wetransfer.com, which is not listed in any of the major GPG keyservers.

I did get in touch with a WeTransfer senior support agent, who responded to these concerns as follows:

“Right now, with the ease of use of WeTransfer, it is possible for somebody who has your profile URL to send files via your Plus Profile. These don’t take up any of your storage, but they will include your Profile name. However, we haven’t experienced people using Plus profiles in such a malicious way. This is because you would need to share the URL with somebody before they can visit your Plus profile, they are not searchable on the internet . . .”

This is a rather shallow defense. If companies using WeTransfer Plus aren’t made aware that files can be uploaded to their account without their knowledge, they are unlikely to tell WeTransfer support about it. And while it’s true that WeTransfer Plus URLs like examplecorp.wetransfer.com do use a robots.txt file to request search engines not index the site, a simple Google search for “our WeTransfer” or “via WeTransfer” yields dozens of companies putting their URLs on their website to provide easy access to their customers and vendors. Companies aren’t aware of the risks, so they don’t protect their WeTransfer Plus URLs. WeTransfer’s FAQs even state “A Plus Profile is a public URL, designed to be viewable to the public.”

WeTransfer’s senior support agent continued:

“. . . We are aware of similar concerns to your own, where users want to ensure their Plus account cannot be used this way. Rest assured, we’re listening to all of you. We’ve had discussions about how we can improve the service and ensure our users’ concerns are addressed. Ideas that have been discussed range from a blacklist/whitelist function, trusted senders and more in depth privacy options. Right now, we have not yet fully realized and implemented this extra layer of security but we also haven’t seen malicious users accessing Plus profiles in this way.”

Pushed to provide a specific timeline, she responded, “We don’t have an ETA on this just yet, I’m afraid. However, I can look into getting an article published in our Help Centre on this.”

Through an email to security@wetransfer.com, a WeTransfer backend engineer responded:

“As you might imagine it’s a tricky thing to balance — we want to enable users to send files as easily as possible, while at the same time ensuring their security and privacy. We are aware of the potential malicious usage you describe and are taking action to mitigate it, though as plus profiles are not indexable (unless posted somewhere outside our control) we haven’t experienced people using profiles in this way. It’s also worth mentioning that there is a setting in the Plus profile that makes it so that only emails sent while signed in will use your own Plus branding.”

Again, WeTransfer does not tell their customers that it’s a bad idea to share their URLs, and says “A Plus Profile is a public URL, designed to be viewable to the public.” I also mentioned earlier that the email branding can be disabled, but: (a) emails can still be sent using someone else’s email address; (b) the links (via email or in link mode) are still shareable with the company’s unique custom URL and branded interface; (c) the company has no way of finding out others are using its custom URL; and (d) WeTransfer doesn’t tell their users about the risks of having branded emails.

I asked WeTransfer’s backend engineer to elaborate on what “taking action to mitigate it” means, as I certainly didn’t experience any mitigation. He responded, “In terms of mitigation – these features are still under development and have not yet been released.”

I also brought up the fact that WeTransfer’s FAQ says in three locations that setting a default recipient locks a WeTransfer Plus URL to only send to that email address, but that the feature was broken and could be bypassed by simply deleting that email address or switching to link mode, as illustrated above. He responded, “The default email feature you describe is intentional – it is meant to facilitate people who use WeTransfer both within teams (so they might want to change the address) and to provide a default recipient. It’s not meant to lock down the profile.”

WeTransfer’s backend engineer did not indicate the overall functionality of WeTransfer Plus was being analyzed or fixed, but did say that an email verification “solution is in the works, though I don’t have an ETA.”

I reached out to WeTransfer’s spokesperson to discuss these issues, and the overall balance of ease-of-use versus security practices.

“There are unfortunately a myriad of places on the internet (and offline) where you can impersonate someone,” said Jeff Sen, WeTransfer’s Vice President. “That said, this is on our radar and we are actively looking into ways of making WeTransfer a ‘safer’ subset of the internet.”

Sen continued, “I cannot give you an ETA on this at this stage … With everything we do, we want to make sure we are careful not to jeopardize the ease-of-use we offer (no log-in, no accounts), as this is crucial to many of our users.” He said WeTransfer would look into clarifying WeTransfer’s help center articles in the meantime.

I asked Sen if WeTransfer thought it was acceptable that anyone could upload files to a company’s account, to share using their branding and logo, without that file being listed in the company’s account. He did not immediately respond.