Skip to content
Naked Security Naked Security

Online file conversion services – why trust them?

If you need to edit an image, tweak a document or convert a file in a hurry, how can you tell which cloud conversion services to trust?

Let’s imagine that you just received an attachment on your phone, such as an image, a document or a spreadsheet.

Imagine you need to edit it, resize it, convert it to a new format, or something similar, but you don’t have a suitable app on your phone, and you don’t have your laptop with you.

It’s a file you don’t intend to make public – perhaps it’s a picture of your children, or a copy of your latest tax return, or your sales targets for next quarter – but you nevertheless need to work on urgently (it happens!)…

…what now?

We’re assuming that you wouldn’t go into an internet cafe, or find an internet kiosk, and upload the file onto one of their computers to work on it.

We don’t think you’d ask the stranger sitting next to you on the train if you could borrow their laptop for a bit. (By the way, if you were that stranger, we’d advise you not to lend out your laptop – make a polite excuse, but be wary of geeks bearing GIFs.)

It’s all about trust.

But how many of us use online services – publicly accessible online servers – to do just that sort of thing?

By that, we mean websites that offer online document conversion, image editing, video transcoding, animated GIF creation, barcode generation, and so forth.

Simply put – cloud conversion.

Cloud as kiosk

The cynic’s definition of using the cloud is “doing your work on someone else’s computer”, with all the risks that brings.

Indeed, if you use a cloud service that involves uploading your own private data to manipulate it remotely, you are very much “doing your work on someone else’s computer”.

If that someone else is unscrupulous, they might deliberately keep a copy of your personal files after you’ve finished with them.

If they’re incompetent, they might accidentally let crooks get hold of your personal files while you’re working on them.

In other words, just like it was above, it’s all about trust.

And that trust has to be earned, not assumed, as our chums at ZDNet reminded us yesterday when they wrote about a file conversion server in France that had allegedly been hackable for more than a year due to the ImageTragick vulnerability.

ImageTragick was a security hole in a popular open source image conversion utility called ImageMagick, a toolkit used on many websites to handle the low-level file manipulation needed to convert, resize and tweak images. The bug allowed a crook to upload booby-trapped fake images that would trick the ImageMagick software into running system commands chosen by the attacker, leading to what’s known as a remote code execution (RCE) bug. A patch for the bug, known as CVE-2016–3714, was published in May 2016.

According to ZDNet, the French servers in the story hosted close to 50 different online conversion services, with names such as rtftopdf, svgtopng and pdftotext.

Apparently, the ImageTragick hole had already been used to open up remote access to unknown attackers, implying that any file you uploaded to the service, or downloaded from it, could have been intercepted, inspected, modified or copied by unseen assailants.

And file conversion sites are entirely about uploading and downloading your own files, which is presumably why the attackers were interested in a remote access backdoor in the first place.

What to do?

If you’re going to entrust your personal data to a cloud-based service – all the way from creating a login profile to uploading one of your own files – then don’t do it unless you have a good reason to trust that service.

This is just the same sort of “personal due diligence” you need to go through when selecting an app to which you’ll entrust your data.

Indeed, just avoiding online document converters in favour of offline, downloadable ones can end in tears too, as we wrote about last year when a free tool called EasyDoc Converter turned out to be a vehicle for infecting Mac users with a remote access Trojan, or RAT.

Here are three steps you can take when choosing a service, an app, or a combination of the two (many services come with a dedicated app, especially on mobile devices, so you don’t need to use your browser):

  • Avoid apps or online services with a poor or non-existent reputation. Don’t trust a cloud service or an app about which no one yet seems to know anything.
  • Don’t rely on reviews that come with the app or service. Even in curated marketplaces like Google Play, there’s little to stop the creator of an app or online service from publishing their own glowing reviews, or paying someone else to post it for them. Seek an opinion from someone in real life whom you already know and trust.
  • Don’t use search engines as an indicator of quality. In the ZDNet case, several of the allegedly vulnerable sites in the story appeared in the first page of Google results for terms such as “pdf convert” and “image convert”.

In short…

…if in doubt, don’t give it out!


4 Comments

Thanks Paul, I always wondered about these services. My concern was that I was giving them a doc or image that they could use in some other way. I would guess that uploading to one of these services gives them information typically transferred when you make a connection to a site.

Good article and long due. I’ve forwarded your “Cynics definition” to a few of my colleagues in ICT security and information governance because it’s very well made analogy that even senior executive officers should be able to understand :)

The other issue not mentioned here is that all of these services will keep a ‘Backup’ copy (read the Terms of Use if they have them) of your document or image.
Is that something you really want? Especially “picture(s) of your children, or a copy of your latest tax return, or your sales targets” or other privileged corporate data?

Most likely, uploading sales targets is breaking your NDA, in fact, along with any other corporate data you might want to use on the fly. Then again, office 365 and a windows phone is always an option…

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?