85 million users, active since 2009, thousands of shared files every day. What about security? Is Wetransfer secure or are there any issues to consider?
In this article, we want to shed light on Wetransfer, a free file transfer service that has existed since 2009. Today it counts 85 million users and thousands of shared files daily. Its strong point is the simplicity to send documents up to 2GB to 20 email addresses simultaneously, without any subscription or registration to the site.
Wetransfer has also realized a community of artists around its service: from the launch date, Wetransfer has distributed 30% of the advertising background spaces to support and give notoriety to artists. This means every time people have a file to download, they can appreciate unique artworks, delivering value-added while they wait.
This is Wetransfer in a nutshell. But, how does Wetransfer work? Does everyone know the critical issues of this service? Is Wetransfer secure or are there some shadows to investigate?
On this page, you’ll find:
- An analysis of the main aspects regarding security and privacy of Wetransfer, including encryption, cloud act, leaked urls and so on.
- Several alternatives to Wetransfer for secure file transfer.
- How Cubbit Private Links can be a reliable alternative that you should try for free.
Let’s go find out!
Is Wetransfer secure? The issues
Encryption
The first key element we analyse is the Wetransfer’s process to encode information. Wetransfer doesn’t use end-to-end encryption. In Wetransfer’s documentation, you can read that files are encrypted when:
- you transfer documents or files through TLS (a cryptographic protocol used in telecommunications and computer science)
- you store them through AES-256 encryption (military grade encryption).
Once files are stored, you can only access them with links sent from the sender to the recipient. However, we have to add a consideration: to access the Wetransfer files just a simple link is needed, while a password isn’t required. Thus, your files are safe only if the recipient preserves the link safely and if the sender does it too!
If the link was shared on Facebook, this would instantly expose your file to relevant privacy and security issues.
Without end-to-end encryption, the communication sender-receivers isn’t safe. Wherefore, if you send data via Wetransfer, you must be aware that this data is first uploaded to the provider’s cloud storage.
- Loading onto the platform and sending links are generally encrypted...
- ...but the recipient receives the email in unencrypted form so that it can download the data.
This creates a security gap in file transfer, where attackers could intercept the email and then access data. This means that Wetransfer is not really secure on this side.
Related reading: What is secure file transfer & why it changes the game
Cybercrime
Several experts stated that today many clouds are used by companies for business purposes. Often these clouds have not been created for businesses and therefore don’t provide security guarantees for the data being exchanged!
Wetransfer is a service created for private users. If an enterprise shares sensitive data through this platform its data can be intercepted. Unfortunately, this is a situation that already happened in the past. In June 2019 a security incident happened: emails supporting Wetransfer services were sent to unwanted email addresses.
Criminal organizations know that companies use exchange services like Wetransfer and consequently exploit them to bypass cybersecurity at the email level. Therefore, Cyber-thieves know where and when these services are used and, for these reasons, can take advantage of them to spread malware.
Another unexpected event on this topic happened in 2015. There was a case of phishing: different users had received fake emails with which it was believed that the link to download was sent directly from the Wetransfer server, but, instead, it was a page that cheated the graphics, hosted on compromised servers that served as a “virus diffusion center”.
These are examples of a phenomenon that happens more and more frequently. Cybercrime is the greatest threat to every company in the world, and one of the biggest problems.
Cybersecurity Ventures, an official Annual Cybercrime Report, predicts “cybercrime will cost the world in excess of $6 trillion annually by 2021, up from $3 trillion in 2015” and that “a business will fall victim to a ransomware attack every 14 seconds by 2019, and every 11 seconds by 2021”.
URL WeTransfer Plus
Another problem concerns the "premium" service offered by Wetransfer to companies. The service allows the company to obtain a unique subdomain (for instance: examplecorp.wetransfer.com) and the ability to enter the brand and logo of your company on its upload/ download interface and on email notifications of the file transfer.
This is a loading portal open to anyone and whoever, without any verification, can use a company’s Wetransfer Plus URL to upload, send and host files. Uploaded files can be sent by email to anyone and the recipient receives an email with the company’s brand, even though no one at the company authorized it!
Patriot Act and Cloud Act
In line with the previous topic, Wetransfer uses storage locations in the United States for its service applying the “Patriot Act” and the “Cloud Act”. These laws allow US authorities to access personal information. For these reasons, your privacy isn’t guaranteed.
Related reading: How to protect your privacy online: 5 actionable tips!
“If you’re not paying for the product, then you are the product,” goes a saying that has been around since the 1970s. When applied to internet companies, the adage explains that even though some services appear free, they make money by some other means. This appears to be true even for Wetransfer. When you use this service you pay a price for its simplicity and comfort, a price that does not translate into “money”, but:
- unchecked government power to rifle through financial records, Internet usage, etc.;
- a communication sender-receivers that isn’t safe;
- risk of cybercrime events.
Related reading: Safest cloud storage of 2021: 9 best solutions
Wetransfer could be a risk for your security.
What is the solution then?
Wetransfer is a service demanded by many consumers. Most of them use it for its simplicity and convenience, but is Wetransfer secure? Not really since it makes every user’s privacy vulnerable. This problem is even more serious and urgent when the users are companies and there are business dynamics. The worst risk is the interception of files that can occur between sender and recipient.
Here, there are some solutions.
- Stay aware while you use the service: don’t share personal data, photos, documents, or economic information.
- If you want to share some files make sure they are encrypted files and that it needs a password to open them. Read our simple guides on how to send a file encrypted or how to share password-protected files.
- If you often need to share several sensitive files, you should take a look at the alternatives available. Nowadays there are different secure substitutes to Wetransfer. Some companies have created different services to respond to both private users and business users. One effective solution is Cubbit. Let’s see the reasons together!
How Cubbit works differently?
Cubbit is an innovative solution that was born in 2016. It’s the first distributed cloud provider without a data center that offers privacy by design and three levels of security:
- Every file is protected by design and encrypted with the most advanced AES-256 algorithms, a military grade protocol;
- Split into some chunks which are multiplied to ensure redundancy and constant uptime;
- All these parts are spread across Cubbit’s peer to peer network.
These are steps on which Cubbit’s zero-knowledge encryption is based where no one, not even the provider, can access your files.
Moreover, in Cubbit, individuals and organizations can find specific services tailored for both of them.
An interesting feature is Cubbit Private Link that allows you to share your files safely because each file is protected by a private link. Thanks to this feature, if you want to send a file that only the recipient can see:
- You have to copy the private link and the respective key link (as you can see in the image below). The recipient will be able to open the file only if it has the key link.
- Then, you have to send both private and key links through a web service email or another channel. We recommend you to send the encrypted links separately, through two different channels (If you use Signal to send the private link, don’t use it to send also the key link!).
Thanks to this structure the communication sender-receiver is protected by end-to-end encryption and the risks of cybercrimes events don’t exist anymore.
In the privacy policy, you can read clearly “Your personal data will be processed by our team and will never be sold to third parties''. Anyway, Cubbit is not able to disclose the content of the data in your account to the authorities as it does not have access to your password! Therefore, it is not able to decrypt the files stored within it: users’ files are not stored in a single data center, they are spread on the Cubbit Network but still private. Being spread, vulnerability is minimized and security is higher!
For these reasons, Cubbit could be a revolution for your business guaranteeing you peace of mind.
We have answered to the question "Is Wetransfer secure?" and noticed that one of the most used services for file-transfer hides issues. This could be a risk for your privacy and file security. Nowadays it is essential to protect our personal information. This implies that we need to make conscious choices, especially when we navigate on the Internet and rely on free web service.
The punchline of this article is: stay aware, pay attention and find the optimal solution for yourselves and your company network.
Violation of privacy is a risk. When it happens, it has devastating consequences. You can avoid it.
Don’t ignore what concerns yourself. Try Cubbit for free for 30 days, with no credit card required.