21 May 2010

PDF Information Leakage

Like many other document and files on your web site, PDFs can leak information in more than one way. Apart from the normal content, there is often meta data, information from previous versions and sometimes, links to internal resources.

Partial image of the beginning of the Financial Services Authority (FSA) template for letters alerting people to the risk of fraud - taken from the public document at http://www.fsa.gov.uk/pubs/press/operation_domingo.pdf - showing the FSA logo at the top right and the text '19 May 2010... Dear ..., This is a warning - you may be targeted by fraudsters I'm writing to you from the Financial Services Authority (FSA) to warn you that your name has been identified on a list currently being used by share fraudsters. These fraudsters, commonly known as boiler rooms, may contact you by telephone with offers to buy worthless shares.  Companies should never call you out of the blue offering to buy or sell shares. Please do not take up...'

On Wednesday, the Financial Services Authority (FSA) reported they had acquired a list of 38,000 names, addresses and telephone number that boiler rooms were using to target potential investors in worthless shares. The FSA wrote a letter to all the people listed. They also published the letter's outline format as a PDF. Unfortunately four enabled hyperlinks in the document do not reference the www.fsa.gov.uk website as intended, but instead a file on someone's computer, probably at the FSA.

Partial image of the of the FSA's template after clicking on an embedded hyperlink with a pop-up alert saying the link goes to 'D:\Documents and Settings\JMCNICHOL\Local Settings\JMCNICHOL\Local Settings\Temporary Internet Files\OLK9\www.fsa.gov.uk\Pages\Doing\Regulated\Law\Alerts\form.shtml'

Oh dear. Nothing too serious this time, but everything that is published should be checked for validity before release, and verified after publication. This should include all information, not just the normal visual content. The FSA should know better. Publishing to print (e.g. the letters) removes some of this additional information where publishing to an electronic format (e.g. PDF) doesn't always. All publishing should follow standard procedures and approvals processes should include checks for additional information.

Embedded data may leak business information (e.g. previous changes, authors' comments, file paths, account names, intellectual property) or personal data (e.g. location data, names), and possibly give malicious users information that will help them exploit the organisation's systems.

Also, some good news for the FSA, it has survived the change of government.

Posted on: 21 May 2010 at 07:54 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter


Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
PDF Information Leakage
ISO/IEC 18004:2006 QR code for https://clerkendweller.uk

Page https://www.clerkendweller.uk/2010/5/21/PDF-Information-Leakage
Requested by on Saturday, 28 November 2015 at 14:47 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use https://www.clerkendweller.uk/page/terms
Privacy statement https://www.clerkendweller.uk/page/privacy
© 2010-2015 clerkendweller.uk