A server hosting dozens of popular file converter sites has been hacked
(Image: file photo; alternative: Twitter)
The server hosting dozens of free-to-use online file conversion websites has been hacked several times in the past year using a well-known, easy-to-use exploit.
The security researcher, who asked not to be named for fear of legal repercussions, told ZDNet that the attacker obtained "full root access" to the server and its contents.
The researcher said the level of access would allow an attacker to quietly exfiltrate any file uploaded to the sites, but said it was "impossible to tell" what the shells were for, or if they were in actively used.
The Paris-based server hosted sites -- including combinepdf.com, imagetopdf.com, jpg2pdf.com, pdftoimage.com, pdfcompressor.com, and wordtojpeg.com, among others -- that let users convert files and documents to other formats.
These are hardly the most popular sites in the world, but thousands of people use the sites each day, based on various traffic metrics and statistics sites. Key search terms like "pdf convert" and "image convert" bring up several of the affected sites in the first page of Google search results, giving them an edge over other conversion sites.
The server was vulnerable to a year-old set of bugs found in the ImageMagick library, a popular tool used to convert images. The bugs, known collectively as "ImageTragick," are extremely easy to exploit -- in one case, as simple as uploading an image file containing four lines of code to the server. The bug is so serious that Facebook paid a record bug bounty to a researcher who found that the social network was vulnerable, and Yahoo stopped using the software altogether. Countless servers and websites remain unpatched to this day.
As soon as the image is uploaded, the code runs, opening up a bind shell on the server, which listens for commands or code from an attacker's server.
According to the researcher, there were three other bind shells open on this vulnerable server.
"The impact of this incident is concerning to me," said the security researcher. "All data going in or out of the server was being tampered with for months on end without the server owner noticing it."
The list of affected domains includes:
| booktitlegenerator.com combinepdf.com compressjpeg.com compresspng.com coollastnames.com croppdf.com cutecatnames.com cutedognames.com djvu2pdf.com dragonnamegenerator.com ebook2pdf.com epub2kindle.com exceltopdf.com horsenamegenerator.com html2pdf.com htmlformatter.com | imagetopdf.com jpg2pdf.com jpg2png.com mobi2epub.com odt2pdf.com optimizilla.com palettegenerator.com pdf2kindle.com pdf2mobi.com pdf2png.com pdfcompressor.com pdfepub.com pdfjoiner.com pdfmobi.com pdftoimage.com pdftotext.com | png2jpg.com png2pdf.com pngjpg.com psd2pdf.com pubtopdf.com ringer.org ringtonecutter.com ringtonemaker.com rtftopdf.com shrinkpdf.com summarygenerator.com svgtopng.com toepub.com topdf.com unminify.com wordtojpeg.com |
We tracked down and contacted the owner of the server, who did not provide his name, but he replied with an aggressive response when provided with details of his vulnerable server.
"That config file is half a year old. If you claim my server still has that problem with Image-f**king-Magick, please send me the new config file," said the server owner. "If you can't, well, you're too late."
The server owner later said he had updated his servers and rebuffed several claims about his server's security.
There's no easy way to determine if a server is vulnerable unless the server is actively exploited with a malicious image. The security researcher did not retest the server after ZDNet reached out to the server owner for fear of legal repercussions, so there is no way to verify that the sites have in fact been patched.
"The fact that he has control over sites that are so widely used for manipulating documents, even if they weren't compromised, is really worrying," the researcher said.
"This should be a lesson for all of us," the researcher said. "If you don't want something to be stolen, don't give it away, especially to sites that you don't trust."