Insecure PDF-to-Word Convertor

Next story
Lukáš Štefanko

Imagine you have a PDF file that you need to quickly edit on your smartphone. As the Adobe’s free PDF viewer – a common default on mobile devices – doesn’t allow it, you search for an app that converts PDFs to DOC in the official market, download it and use it for the conversion. It does a good job converting the PDFs you need as editable documents, and you set about making the changes that you need.

Two years later, however, you discover that all the sensitive documents you ran through the app have been available to the whole digital world – including the black-hat actors – and are still.

This was exactly the case with an app, available on Google Play, named “pdf to word”. Uploaded by Ngoc Ha Dev, the app had more than 100,000 installs and promised to convert between these file types, as seen in Figure 1. For the two years of its active presence in the market, it apparently placed all user-uploaded PDFs on an FTP server, amassing a collection of around 360,000 files - without using any security measures at all.

Figure 1 - The "pdf to word" app as it appeared on Google Play

All these files were publicly accessible and downloadable by anyone, without any authentication and the files were stored unencrypted. Moreover, many of the uploaded files were extremely sensitive, including documents such as:

  • CVs
  • IDs and passports
  • police records
  • medical records
  • court files
  • insurance contracts
  • reservations
  • flight tickets
  • school diplomas

To make things worse, the uploaded files were never removed from the server and were thus at the mercy of anyone who found them, possibly including malicious actors.

Figure 2 – Publicly accessible server was storing all “converted” files since 2016

To make matters even worse still, the FTP server didn’t only store the mentioned PDF files, but also other content such as user images, scanned documents, personal photos and mp3 files. These probably originated from other file conversion applications by the same developer.

Figure 3 – The server also stored other files, probably originating from other conversion apps by the same developer

On top of all these shortcomings, there are other security flaws in the “pdf to word” app. User credentials were poorly protected when stored in the app as well as in transit across the internet to the app’s server. This could allow their decryption if extracted or intercepted by an attacker in network traffic.

Another point on the list of this app’s issues was the promised conversion. The app wasn’t performing this process itself; instead it was using an online service called “online-convert.com” to transform the files.

ESET reported all these security and privacy issues to the developer. The app “pdf to word” is not currently available from the Google Play market.