| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Aug 2014 08:30:46 +0200 From: peter.wiedekind@...hmail.com To: fulldisclosure@...lists.org Subject: [FD] Optical Society of America's peer-review system can leaks reviewers' usernames -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Optical Society of America's peer-review system can leaks reviewers' usernames Hi, the Optical Society of America uses an article tracking system called "Prism" [1] to manage the submissions of authors and the comments of the reviewers. Reviewers can upload their reviews as MS Word or PDF documents. Under certain circumstances, when an MS Word document is converted to PDF on the reviewer's computer, the username of the reviewer is embedded into the XMP metadata of the resulting PDF document as a dc:creator element. However, the article tracking system does not seem to know about XMP metadata in PDF documents and only clears the author field in the regular PDF metadata, thus leaving the dc:creator field for the author of the reviewed paper to see, potentially revealing the reviewer's identity. Note that a malicious reviewer could of course easily fake the user name field. Since the leak can only be seen when a paper is submitted and reviewed, I could not do a study on how many reviews are affected. Best regards, Peter Wiedekind [1] https://prism.opticsinfobase.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJT7FcLAAoJEFp1Vtbf4jqrFccP/i6DqARZWVU6VX4Ivmnl9ZKy X5Qrg/M36E5zz1lPm9TZxlA7K1A1vU+scUr1sxPTmex/SUOP9SNStsEuPGukiCvr n3kj2Ueeyb+lNChlqCKR66klPwyYmCwRMFGovOQ3zIU4TLv9LtxQdUKKCgN7MrXB BvCFEeAr1Epy+AlU2436+mTu5Wg7GIdvATo+uw2MvOUwRGim94N0E57/VMFQ2Ucy +WQRQWpLHER229XY5IzE0HXr6Od7wXhVmzqosLMESt+JZ6RqbFlEtrm2iMJm/Kjc D8RNmrhIPPb6Ax3S4LoB+Tef0vPKqQdOfPOX5KHIZNloawgFyyD83i3roQd5YYmN o7wdcgm/Z/OthXd1N8X0yxNi8Y06A+88xWLAUGyL5O+WPg/dboMkkqidnmGQDX2K ZSpbm0Sz17QW1TXNOMUhsvkaiKVEt52CtOsPpFFVDQZ/UTVBC3Dj3uV7CsFsMaPs 7CxUo7KwJPR8jVKHSAcuK8/DYJp2+eQu6zU+9FoHY1TjgxeWdDP6sA8LhmS6ZkJ+ PtWZrhrduVegbxSzBB1HUskARCPWGzMJ+RuFsLyBBedoGiaCmG2Z3MLb66v+uTl3 LUEJexOLK1LiBPZVoWNpgllhTsxWO+MLfNU9JWkCzqd+KBEoRWEhh/1zBzTuYd0Q V2Cs+VjY4H4J07s5Frlq =fPRH -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists