Dozens of online file converter websites may have been compromised

 

Recently, a security researcher made an alarming discovery when it was found that a server hosting several popular file conversion web sites had been hacked.  The researcher, who asked not to be named for fear of legal repercussions, recently told ZDNet that the attacker behind the hack had obtained “full root access” to the server and it’s contents.

The researcher claimed the level of access would allow an attacker to quietly copy any file uploaded to the sites, but said it was “impossible to tell” what the root shells were being used for, or if they were even in active use.

The Paris-based server hosted sites including combinepdf.com, imagetopdf.com, jpg2pdf.com and many others.  These sites allow users to convert files and documents to other formats.  While they are hardly the most popular sites in the world, it is estimated that thousands of people use the sites every day, based on various traffic metrics and statistics sites.

The server was found by the researcher to be vulnerable to a year-old set of bugs found in the ImageMagick library, a commonly used tool to convert images. The bugs, known collectively as “ImageTragick,” are extremely easy to exploit — in one case, as simple as uploading an image file containing four lines of code to the server. The bug is so serious that Facebook paid a record bug bounty to a researcher who found that the social network was vulnerable, and Yahoo stopped using the software altogether. Countless servers and websites remain unpatched to this day.

As soon as an exploit file is uploaded to a vulnerable server, the code runs.  This opens a bind shell on the server which listens for commands or code from the attacker.  According to the researcher, there were 3 other bind shells open on this server.  Exactly who was using them or what they were doing remains unknown.

“The impact of this incident is concerning to me,” said the security researcher. “All data going in or out of the server was being tampered with for months on end without the server owner noticing it.”

The full list of affected domains includes:

booktitlegenerator.com
combinepdf.com
compressjpeg.com
compresspng.com
coollastnames.com
croppdf.com
cutecatnames.com
cutedognames.com
djvu2pdf.com
dragonnamegenerator.com
ebook2pdf.com
epub2kindle.com
exceltopdf.com
horsenamegenerator.com
html2pdf.com
htmlformatter.com
imagetopdf.com
jpg2pdf.com
jpg2png.com
mobi2epub.com
odt2pdf.com
optimizilla.com
palettegenerator.com
pdf2kindle.com
pdf2mobi.com
pdf2png.com
pdfcompressor.com
pdfepub.com
pdfjoiner.com
pdfmobi.com
pdftoimage.com
pdftotext.com
png2jpg.com
png2pdf.com
pngjpg.com
psd2pdf.com
pubtopdf.com
ringer.org
ringtonecutter.com
ringtonemaker.com
rtftopdf.com
shrinkpdf.com
summarygenerator.com
svgtopng.com
toepub.com
topdf.com
unminify.com
wordtojpeg.com

Read the full article below: