Two online PDF makers have leaked tens of thousands of user documents, including passports, driving licenses, certificates, and other personal information uploaded by users.
We’ve all been there: rushing terribly, fighting to craft a PDF quickly and submit a form. Many have turned to online PDF makers for help, and many have had their prayers answered.
However, if you ever wondered why those services happen to be free, it’s because user data safety is not among the top priorities for some. The Cybernews research team has uncovered two online PDF makers, PDF Pro and Help PDF, leaking over 89,000 documents.
What’s worse, multiple attempts to contact service providers went completely unnoticed, with an exposed Amazon S3 bucket wide open for anyone to take at the time of publishing. Moreover, users are still uploading their documents unaware that their data is leaking to the internet.
We have also reached out to service providers for an official statement but have yet to receive a response.
Severe Security Risks
Both PDF Pro (pdf-pro.io) and Help PDF (help-pdf.com) appear to be operated by the same UK-based legal entity and share the same design. Users are offered PDF conversion tools, compression tools, and editing tools, as well as an option to sign the documents.
According to the team, the exposed instance contains documents uploaded by users. At the time of writing, the total number of exposed files was 89,062, with 87,818 uploaded via PDF Pro and 1,244 via Help PDF.
The files include sensitive information few would voluntarily share online. The open bucket contains:
- Passports
- Driving licenses
- Certificates
- Contracts
- Other documents and information
“With access to personal documents, criminals can engage in various fraudulent activities such as applying for loans, renting properties, or purchasing expensive items using the victim’s identity,” researchers said.
Attackers can utilize the leaked documents to impersonate individuals and open bank accounts, apply for credit cards, or conduct other financial transactions in the victim’s name.
Additionally, threat actors can alter or forge documents such as contracts or licenses to create fake identities, fabricate qualifications, or manipulate legal agreements for their benefit, potentially causing legal issues for the victim.
The team offers several tips to mitigate the leak and avoid such incidents in the future:
- Immediately restrict public access to the bucket
- Change the bucket policy and access control lists (ACLs) to restrict access to authorized users or applications only
- Ensure that all objects in the bucket are set to private or have appropriate access controls configured
- Enable server-side encryption on the bucket to protect data at rest. Admins can choose between SSE-S3, SSE-KMS, or SSE-C based on their requirements