A server hosting dozens of popular file converter sites has been hacked

The server hosting the sites had been "tampered with for months on end, without the server owner noticing it."

(Image: file photo; alternative: Twitter)

The server hosting dozens of free-to-use online file conversion websites has been hacked several times in the past year using a well-known, easy-to-use exploit.

Here are 2017's biggest hacks, leaks, and data breaches — so far

Dozens of data breaches, millions of people affected.

Read More

The security researcher, who asked not to be named for fear of legal repercussions, told ZDNet that the attacker obtained "full root access" to the server and its contents.

The researcher said the level of access would allow an attacker to quietly exfiltrate any file uploaded to the sites, but said it was "impossible to tell" what the shells were for, or if they were in actively used.

The Paris-based server hosted sites -- including combinepdf.com, imagetopdf.com, jpg2pdf.com, pdftoimage.com, pdfcompressor.com, and wordtojpeg.com, among others -- that let users convert files and documents to other formats.

These are hardly the most popular sites in the world, but thousands of people use the sites each day, based on various traffic metrics and statistics sites. Key search terms like "pdf convert" and "image convert" bring up several of the affected sites in the first page of Google search results, giving them an edge over other conversion sites.

The server was vulnerable to a year-old set of bugs found in the ImageMagick library, a popular tool used to convert images. The bugs, known collectively as "ImageTragick," are extremely easy to exploit -- in one case, as simple as uploading an image file containing four lines of code to the server. The bug is so serious that Facebook paid a record bug bounty to a researcher who found that the social network was vulnerable, and Yahoo stopped using the software altogether. Countless servers and websites remain unpatched to this day.

As soon as the image is uploaded, the code runs, opening up a bind shell on the server, which listens for commands or code from an attacker's server.

According to the researcher, there were three other bind shells open on this vulnerable server.

"The impact of this incident is concerning to me," said the security researcher. "All data going in or out of the server was being tampered with for months on end without the server owner noticing it."

The list of affected domains includes:

booktitlegenerator.com
combinepdf.com
compressjpeg.com
compresspng.com
coollastnames.com
croppdf.com
cutecatnames.com
cutedognames.com
djvu2pdf.com
dragonnamegenerator.com
ebook2pdf.com
epub2kindle.com
exceltopdf.com
horsenamegenerator.com
html2pdf.com
htmlformatter.com
imagetopdf.com
jpg2pdf.com
jpg2png.com
mobi2epub.com
odt2pdf.com
optimizilla.com
palettegenerator.com
pdf2kindle.com
pdf2mobi.com
pdf2png.com
pdfcompressor.com
pdfepub.com
pdfjoiner.com
pdfmobi.com
pdftoimage.com
pdftotext.com
png2jpg.com
png2pdf.com
pngjpg.com
psd2pdf.com
pubtopdf.com
ringer.org
ringtonecutter.com
ringtonemaker.com
rtftopdf.com
shrinkpdf.com
summarygenerator.com
svgtopng.com
toepub.com
topdf.com
unminify.com
wordtojpeg.com

We tracked down and contacted the owner of the server, who did not provide his name, but he replied with an aggressive response when provided with details of his vulnerable server.

"That config file is half a year old. If you claim my server still has that problem with Image-f**king-Magick, please send me the new config file," said the server owner. "If you can't, well, you're too late."

The server owner later said he had updated his servers and rebuffed several claims about his server's security.

There's no easy way to determine if a server is vulnerable unless the server is actively exploited with a malicious image. The security researcher did not retest the server after ZDNet reached out to the server owner for fear of legal repercussions, so there is no way to verify that the sites have in fact been patched.

"The fact that he has control over sites that are so widely used for manipulating documents, even if they weren't compromised, is really worrying," the researcher said.

"This should be a lesson for all of us," the researcher said. "If you don't want something to be stolen, don't give it away, especially to sites that you don't trust."

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All