Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Serious Password Reset Hole In Accellion Secure FTP

Soulskill posted about a year and a half ago | from the how-to-annoy-other-users dept.

Security 27

chicksdaddy writes "A security researcher who was looking for vulnerabilities in Facebook's platform instead stumbled on a much larger hole that could affect scores of firms who rely on a secure file transfer platform from Accellion. Writing on his blog on Monday, Israeli researcher Nir Goldshlager said he discovered the password reset vulnerability while analyzing a Accellion deployment that is used, internally, by Facebook employees. Goldshlager used public knowledge of the Accellion platform to access a hidden account creation page for the Facebook deployment and create a new Facebook/Accellion account linked to his e-mail address. After analyzing Accellion's password reset feature, he realized that — with that valid account — he could reset the password of any other Facebook/Accellion user with some cutting and pasting and a simple HTTP POST request, provided he knew the user's login e-mail address — effectively hijacking the account. Goldshlager said he informed Facebook and that the hole has been patched by Facebook and Accellion. However, other Accellion customers using private cloud deployments of the product could still be vulnerable."

cancel ×

27 comments

Hard truth (0)

Anonymous Coward | about a year and a half ago | (#42524279)

Never trust proprietary software.

Re:Hard truth (3, Funny)

Anonymous Coward | about a year and a half ago | (#42524359)

Never trust a dolphin.

Re:Hard truth (0)

Anonymous Coward | about a year and a half ago | (#42524591)

Never trust a bear.

Kudos to Facebook! (4, Insightful)

tekrat (242117) | about a year and a half ago | (#42524301)

Facebook and the vendor patched the vulnerability... That's a first, usually the first response by any large corporation to being informed of a security hole is to either have the researcher arrested or sue the researcher. And then quietly hope no one else finds the hole...

Re:Kudos to Facebook! (3, Insightful)

dmomo (256005) | about a year and a half ago | (#42524437)

Well, that's the case when the customers of the large corporation are the ones at risk. Here it is the large corporation who took action because it was them who were vulnerable. So, your old cynical view still stands!

seriously? (0)

Anonymous Coward | about a year and a half ago | (#42524597)

facebook would be out of business if they =didn't= patch it..

imagine their tone being "oh who cares if anyone can reset anyone's password whenever they want".. that's a great business model..

facebook isn't some random open sores cms project that lazy neckbeards don't give a fuck about

Re:Kudos to Facebook! (1)

nthitz (840462) | about a year and a half ago | (#42525855)

Comeon... Some companies do indeed do that, but Facebook has a history completely opposite of what you describe (wrst to responsible disclosure) http://www.facebook.com/whitehat/bounty/ [facebook.com]

Re:Kudos to Facebook! (0)

Anonymous Coward | about a year and a half ago | (#42526593)

Might this have to do with the researcher being located outside the country of origin of the relevant software firm? All the instances I can think of off the top of my head of harassement have been when there's no issue of extradition.

Of course, I don't know what kinds of extradition treaties the US and Israel might have, so go figure.

trái cây sch (-1)

Anonymous Coward | about a year and a half ago | (#42524403)

Really good story man [fruitgarden.vn]

Goldshlager? (0)

Anonymous Coward | about a year and a half ago | (#42524477)

Look out, a Bond villain figured out how to hack Facebook!

Re:Goldshlager? (0)

Anonymous Coward | about a year and a half ago | (#42524727)

No, I think that's a liquor.

"Private cloud deployment"? (2)

sloth10k (1298709) | about a year and a half ago | (#42524899)

You mean, like, I have their software installed on my server?

Re:"Private cloud deployment"? (1)

VortexCortex (1117377) | about a year and a half ago | (#42525087)

Imagine a perfectly spherical volume of hot air...

Famous last words? (1)

godel_56 (1287256) | about a year and a half ago | (#42525147)

Did you notice his final line in TFA

"Soon i will publish OAuth bypass in Facebook.com, Cya Next time!,"

Real or not? That would really stir things up.

Re:Famous last words? (1)

TheLink (130905) | about a year and a half ago | (#42527425)

I wouldn't be surprised if that's true.

Especially when this bug existed: http://chingshiong.blogspot.co.uk/2013/01/facebook-bug-4-password-reset.html [blogspot.co.uk]
Which I think is more notable than a bug in Accellion (which I have never heard of, nor from what I've seen will ever want to use).

Secure? As if! (0)

Anonymous Coward | about a year and a half ago | (#42525355)

3rd big bug in Accellion File Transfer, Secure is a misnomer.

1) http://www.portcullis-security.com/pages/other/multiple-vulnerabilities-in-the-accellion-secure-file-transfer-web-application-allows-remote-compromise-as-a-root-user.php
2) http://www.rapid7.com/resources/advisories/R7-0039.jsp
3) This one!

Re:Secure? As if! (1)

egcagrac0 (1410377) | about a year and a half ago | (#42527047)

We have a winner. The product is apparently grossly misnamed.

For real? (1)

pclminion (145572) | about a year and a half ago | (#42525393)

Hey, I know -- let's pass the UID of the account which is being reset, in the URL which the attacker has control over. That's the ticket.

SSH? (0)

Anonymous Coward | about a year and a half ago | (#42525631)

I suppose SSH wasn't enterprisey enough.

Vulnerability patched 2 major version ago (1)

Shurshacker (2811277) | about a year and a half ago | (#42525813)

Accellion patched this vulnerability in version FTA_9_1_x (September?). They're currently on version FTA_9_3_1.

Re:Vulnerability patched 2 major version ago (0)

Anonymous Coward | about a year and a half ago | (#42525933)

wonder what else they found?

Re:Vulnerability patched 2 major version ago (1)

Shurshacker (2811277) | about a year and a half ago | (#42526049)

This was all they found/patched with that security fix. From the Accellion engineer (Oh, and it was back in March)... "20-March-2012 FTA_9_1_166 Security Fix: The release fixes a vulnerability on the password update page."

Re:Vulnerability patched 2 major version ago (0)

Anonymous Coward | about a year and a half ago | (#42526349)

According to support it was fixed last March in the FTA_9_1_166 release. From the change log details:
"20-March-2012 FTA_9_1_166
Security Fix: The release fixes a vulnerability on the password update page."

Who would have thought? (2)

dbIII (701233) | about a year and a half ago | (#42525891)

Somebody managed to fuck up a version of FTP so badly it ended up as insecure as DropBox.

Re:Who would have thought? (2)

Shurshacker (2811277) | about a year and a half ago | (#42525979)

Good thing it ain't FTP. ;)

*shakes head* There's gotta be a better way... (0)

Anonymous Coward | about a year and a half ago | (#42527327)

Why can't we build secure software? Maybe the correct question to be asking is why are application programmers being
allowed to build security features at all - and why do our tools let us do that?

After the 1000th zero day you'd think the IT industry would be rethinking this thing...

Re:*shakes head* There's gotta be a better way... (1)

OneAhead (1495535) | about a year and a half ago | (#42539959)

I'm contemplating a tool that doesn't let us do that, but all that comes to mind is an animated paperclip saying "It looks like you're writing a security feature."
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...