Biscom is a company primarily known for fax server solutions, file transfer, and data conversion. As such, it has numerous important clients, from law firms to hospitals. One of these clients happens to be the well-known IT security company and developer of Metasploit, Rapid7. As described in an article from Kaspersky Lab’s Threatpost, Rapid7 noticed a major vulnerability that led to Biscom pushing for a patch in its file transfer service.
Located in the Name and Description field of the Workspaces portion of the file transfer service, the vulnerability in question was a critical cross-site scripting exploit. As Tod Beardsley of Rapid7 explained:
“When you use it and have an account, you can set up a Workspace and share that with a support rep, for example. Because it’s a cross-site scripting bug, you can use that to spy on other Workspaces that already have a relationship with that contact… Cross-site scripting with an on-premises box means a lot… You can not only break the whole model of file permissions they have, but own the victim’s browser.
While the stipulation here is that the user who wishes to employ the XSS exploit must be “authenticated,” it won’t stop incredible havoc from occurring. The total control of data, especially considering the sensitive nature of Biscom’s client base, could have spelled disaster.
It should not be assumed that the newest patch, version 5.1.1025, is a magic bullet for safety. As is pointed out in the article, there is a social engineering side to this now-patched XSS vulnerability. As the author, Michael Momoso, points out, there is a “necessity for an existing relationship in order to carry out this particular attack.” You cannot simply just transfer files to anyone, they must give you permission. One has to wonder what other exploits can result from this model of attack, as there is already an implicit trust that can easily be hacked.
It is perhaps a question all file transfer services should ask themselves, rather than waiting for a major incident to occur. People are just as hackable as a computer is, and that is the variable security professionals must always consider.
Photo credit: Flickr / Christiaan Colen