lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20140814063046.CE63560960@smtp.hushmail.com>
Date: Thu, 14 Aug 2014 08:30:46 +0200
From: peter.wiedekind@...hmail.com
To: fulldisclosure@...lists.org
Subject: [FD] Optical Society of America's peer-review system can leaks
	reviewers' usernames

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Optical Society of America's peer-review system can leaks reviewers' usernames

Hi,

the Optical Society of America uses an article tracking
system called "Prism" [1] to manage the submissions of
authors and the comments of the reviewers. Reviewers
can upload their reviews as MS Word or PDF documents.

Under certain circumstances, when an MS Word document
is converted to PDF on the reviewer's computer, the
username of the reviewer is embedded into the XMP
metadata of the resulting PDF document as a dc:creator
element. However, the article tracking system does not
seem to know about XMP metadata in PDF documents and only
clears the author field in the regular PDF metadata, thus
leaving the dc:creator field for the author of the reviewed
paper to see, potentially revealing the reviewer's identity.
Note that a malicious reviewer could of course easily fake
the user name field.

Since the leak can only be seen when a paper is submitted
and reviewed, I could not do a study on how many reviews
are affected.

Best regards,

Peter Wiedekind

[1] https://prism.opticsinfobase.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJT7FcLAAoJEFp1Vtbf4jqrFccP/i6DqARZWVU6VX4Ivmnl9ZKy
X5Qrg/M36E5zz1lPm9TZxlA7K1A1vU+scUr1sxPTmex/SUOP9SNStsEuPGukiCvr
n3kj2Ueeyb+lNChlqCKR66klPwyYmCwRMFGovOQ3zIU4TLv9LtxQdUKKCgN7MrXB
BvCFEeAr1Epy+AlU2436+mTu5Wg7GIdvATo+uw2MvOUwRGim94N0E57/VMFQ2Ucy
+WQRQWpLHER229XY5IzE0HXr6Od7wXhVmzqosLMESt+JZ6RqbFlEtrm2iMJm/Kjc
D8RNmrhIPPb6Ax3S4LoB+Tef0vPKqQdOfPOX5KHIZNloawgFyyD83i3roQd5YYmN
o7wdcgm/Z/OthXd1N8X0yxNi8Y06A+88xWLAUGyL5O+WPg/dboMkkqidnmGQDX2K
ZSpbm0Sz17QW1TXNOMUhsvkaiKVEt52CtOsPpFFVDQZ/UTVBC3Dj3uV7CsFsMaPs
7CxUo7KwJPR8jVKHSAcuK8/DYJp2+eQu6zU+9FoHY1TjgxeWdDP6sA8LhmS6ZkJ+
PtWZrhrduVegbxSzBB1HUskARCPWGzMJ+RuFsLyBBedoGiaCmG2Z3MLb66v+uTl3
LUEJexOLK1LiBPZVoWNpgllhTsxWO+MLfNU9JWkCzqd+KBEoRWEhh/1zBzTuYd0Q
V2Cs+VjY4H4J07s5Frlq
=fPRH
-----END PGP SIGNATURE-----



_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ