An anonymous security researcher has revealed that a server hosting some of the most popular free online file converters has been hacked numerous times within the past one year. The researcher revealed that hackers were able to take control of the servers’ root access together with relevant contents.
With this kind of access, the hackers are now in a position to silently exfiltrate uploaded files. “It’s however hard to determine the purpose of the shells and whether they are still active,” added the researcher who agreed to comment only under anonymity.
Some of the online file converters hosted by the Paris-based servers include combinepdf.com, pdftoimage.com, jpg2pdf.com, pdfcompressor.com, imagetopdf.com, and wordtojpeg.com.
They may not be the most popular sites for converting files across the world but thousands of people access them on a daily basis. This is indicated by different statistics and metric sites. Using keywords like ‘image convert’ and ‘pdf convert’ on Google Search highlights some of the affected sites on the first page. This essentially gives them a high chance of being used by unknowing users.
But as it turns out, this is not the first time the server may have been compromised. It was found to contain more than a year old bugs. These bugs, generally referred to as “ImageTragick,” are much easier to exploit. There are cases when just some four lines of code uploaded to the server are all that’s needed.
The bug’s seriousness cannot be understated considering Facebook paid a research a record high bounty after realizing that the site was vulnerable. Yahoo on the other hand completely relinquished use of the software. There are so many sites and servers that are still unpatched.
Immediately after image upload, a code begins to run and opens a bind shell. This silently receives commands from the attacking server.
This vulnerable server was found to host at least three open bind shells. “What this incident is capable of doing concerns me. There is enormous data moving in and out of the server yet the server owner hadn’t noticed it,” explained the security researcher.
ZDNet contacted the server owner who unfortunately wasn’t kind enough after being provided with details of the vulnerable server. He claimed that the config file in question is just half a year old and that if anyone had a problem should ‘send [him] a new config file.”
Later on, he responded saying that rebuffed different concerns regarding the server’s security.
A server’s security can’t be determined unless it’s exploited using a malicious code. As of the time of writing this article, the security researcher had not retested the server. Thus, we cannot confidently state that the server has been patched.