Online PDF makers leaked 90 thousand documents

0
70
Online PDF makers leaked 90 thousand documents

A recent study by Cybernews shows that two online PDF makers have leaked tens of thousands of user documents, including passports, driver’s licenses, certificates, and other personal information uploaded by users.

At the same time, users continue to upload their documents every day, unaware that their data is leaking to the Internet.

The Cybernews research team has exposed two online PDF creation services, PDF Pro and Help PDF, for leaking more than 89,000 documents.

“To make matters worse, numerous attempts to contact the providers went completely unnoticed, and the open Amazon S3 bucket was available at the time of publication to anyone who wanted to use it. Our team has asked the service providers for an official statement, but has not yet received a response,” the company told.

Serious security risks of PDF makers

Experts note that both PDF Pro (pdf-pro.io) and Help PDF (help-pdf.com) are likely operated by the same legal entity based in the UK and have the same design. Users are offered PDF conversion, compression and editing tools, as well as the ability to sign documents.

According to the team, the exposed instance contains documents uploaded by users. At the time of writing, the total number of available files was 89062, of which 87818 were uploaded via PDF Pro and 1244 via Help PDF.

Various documents in the public domain

The open repository contains:

  • Passports.
  • Driving licenses.
  • Certificates.
  • Contracts.
  • Other documents and information.

“With access to personal documents, criminals can engage in various fraudulent activities, such as obtaining loans, renting real estate, or buying expensive items, using the victim’s identity,” the researchers note.

PDF Pro

What to do

The team offers several tips to help prevent the leak and avoid similar incidents in the future:

  • Immediately restrict public access to the bucket.
  • Modify the storage policy and access control lists (ACLs) to restrict access to only authorized users or applications.
  • Ensure that all objects in the bucket are set to private or have appropriate access controls configured.
  • Enable server-side encryption to protect data at rest. Administrators can choose between SSE-S3, SSE-KMS, or SSE-C depending on their requirements.

LEAVE A REPLY

Please enter your comment!
Please enter your name here