Security News > 2021 > March > Research: Security Agencies Expose Information via Improperly Sanitized PDFs
Most security agencies fail to properly sanitize Portable Document Format files before publishing them, thus exposing potentially sensitive information and opening the door for attacks, researchers have discovered.
An analysis of roughly 40,000 PDFs published by 75 security agencies in 47 countries has revealed that these files can be used to identify employees who use outdated software, according to Supriya Adhatarao and Cédric Lauradoux, two researchers with the University Grenoble Alpes and France's National Institute for Research in Computer Science and Automation.
The analysis also revealed that the adoption of sanitization within security agencies is rather low, as only 7 of them used it to remove hidden sensitive information from some of their published PDF files.
"Some agencies are using weak sanitization techniques: it requires to remove all the hidden sensitive information from the file and not just to remove the data at the surface. Security agencies need to change their sanitization methods," the academic researchers say.
"During our analysis we observed that many agencies include more than one author publishing the PDF files. It is possible to download all the PDF files published on a security agency's website and observe the author habits, OS trends," the researchers note.
While 9,509 of the analyzed PDF files have been sanitized before publishing, only 3,313 were sanitized with Level-3.