Ask HN: Is it just me, or could file conversion websites be a honeypot?

88 points by gjsman-1000 ↗ HN
Hello,

I'm interested in some thoughts on this. I have nothing to go on but a hunch... but is there any guarantee that popular "file conversion" websites aren't honeypots for sensitive or useful information?

The odds, to me, of some employee running random files through a file conversion website at some point seems terrifyingly high. And some (like https://fabconvert.com/) definitely seem more suspicious than others, lacking any legal entity or trademark I can find. If there were, or are, corrupt file conversion websites out there, it would be the perfect crime. So much so that, if I were running a business, I would not allow employees to touch any such service with a 10-foot-pole - but how often is that cited in training for preventing information leaks?

Thoughts?

59 comments

[ 3.1 ms ] story [ 112 ms ] thread
I think you know already that any answer you get is pure speculation. Unless the source code is open source and their infrastructure is audited, you'll never know.
In which case... how many businesses are screaming from the rooftops that you should never, ever, use a file conversion website that hasn't been approved by IT? How many healthcare providers could be running patient records through, to convert their TIFFs to JPEGs? The IP theft ability of running a well-targeted file conversion service, for the right formats used in the right industries, could be horrifying... But that's just a could be...
You'd assume people in a business like finance or health would have rules about what kind of software they can use.

I know people who work for Bloomberg and big banks have strict rules about what kind of software they can install on their laptops (one person at a big bank got permission to use a python package I wrote)

In an environment like that they'd treat using a file conversion web site the same way. But I'm sure somebody out there is running a file conversion site that's there for intelligence gathering and some fool uploads something they shouldn't every day.

> You'd assume people in a business like finance or health would have rules about what kind of software they can use.

I would assume... but the NHS was running Windows XP on thousands of computers, often with internet, as late as 2019. Finance? Well, Experian had a website which would not show credit information and redirect you if it couldn't verify your identity... unless you changed the URL to the regular report link. Then it would dump it all out.

Let's say I was an information gatherer, for say, the NSA or GCHQ. Or maybe I'm a Chinese PLA soldier. I'd corner the market with shell companies that offered online conversion of 3D files to other 3D formats. There's over a dozen formats to choose from, and you can tell a lot just by the format selected. DGN file? It's MicroStation, meaning its highway, bridges, and infrastructure information. Neat.

If I had to pick just one tactic for intelligence gathering it would be "count on somebody to make a mistake with operational security." They got Che Guevara that way.
I would think that at scale, any significant use of a "CONVERT4FREE" site is going to be severely rate-limited and ultimately curtailed by a lack of resources and capacity.

I mean, can you imagine how many photocopies an office needs in a day? Now imagine a single 9-5 medical imaging office, running every TIFF through a free website converter? Improbable.

I'd think in an environment like that people would be using dodgy web-based file converters all the time because of the hassle required to install a converter locally.
Often there is a data leak prevention software installed that won’t let you upload local files to external sites and flag your manager if you do. You can’t block all the sites, so this is a better way.
(comment deleted)
And even if the source code is open and they subject themselves to audits, you'll never know.
Every time I've used one I've thought the same.
Why would anyone provide their files to a random internet website? It’s a security problem.

A lot of formats can be converted locally.

A lot of people are non technical and the search engines tend to show these easy to use websites first.
>A lot of formats can be converted locally.

And a lot of people (even technical ones) don't have the tools installed, the budget to buy them, or the inclination to spend time/money on a local solution when they can do it "free" in seconds elsehow

To use a silly example, I can install an image converter that will go from TIFF to PNG - but which one? Why that one? What about all the alternatives? Is it in policy for my work machine? Is it a risk to my personal machine? Why go through all that effort when I can go to super-super-image-converter-online.tld and be done in 10 seconds?

and in a corporate environment, you might be prevented from installing a conversion app from a trusted source but not blocked from using randomsketchysite.com to do the conversion.
...not that I've EVER had that happen ...
I view it from two angles.

People rarely do anything for free, especially when it comes at a cost to them. Therefore, there is a significant likelihood something nefarious is happening.

On the other hand, there is a high probability the owner of the website would get caught eventually in a sting operation.

The only scenario I can imagine is the website is ad supported. At any rate, I have always avoided these websites out of a fear of the first possibility.

A "sting" of what? People are voluntarily uploading their files. The sites aren't claiming any type of privacy or destruction of uploaded files.

I'd say it's probably immoral for these sites to search through uploaded files for useful or interesting or private information, but I doubt it's illegal.

Agreed.. It's no more illegal than going to Kinkos and asking someone there to photocopy your files for you.
Going to Kinko's and giving your papers to the friendly guy outside who says he'll give you color photocopies for free if you just give him your documents and wait here.
Depends on jurisdiction.
I run my own pastebin, image upload, image editing upload service that's for me but it's open to public. How about that angle?
I do a lot of work with what you’d call ShadowIT, or the use of unsanctioned applications. I use cloud broker tools which use firewall logs to identify where these websites are being used.

The use of these file conversion tools is very common and is often used on sensitive information. Heck I’ve seen health companies use these tools to upload god knows what.

Usually there is little to no data sovereignty rules that apply, in that by using the service for free that can own the file you upload and use it to glean information from.

Firstly, employees need to be aware that they are not allowed to use this software and you need to therefore provide a solution. You should then use broker tools to actually block these conversion sites, in the same way that you might block the use of Dropbox and other cloud solutions if these are unsanctioned.

Yes you’re absolutely right to question these services and organisations are having to deal with risk associated with using them. Which is only really an issue if it’s sensitive personally identifiable information.

What are some examples of these “cloud broker tools”?
I have experience with the NetSkope CASB.

Gives you all of those insights and the ability to block them.

> Firstly, employees need to be aware that they are not allowed to use this software and you need to therefore provide a solution.

As far as I understand, the usage of such tools is caused by the need to accomplish some goal that they don't know how to otherwise do. Therefore, wouldn't it be a good idea to self-host such a tool, even if it's not a part of any pre-existing platform that's in use for other business processes?

For example, for various data format related concerns, I've seen CyberChef be pretty good: https://github.com/gchq/CyberChef

As for some binary file format conversations, HRConvert2 seems viable: https://github.com/zelon88/HRConvert2

If self-hosting things is too much of a bother/risk, then I guess all that's left is local tools, such as Handbrake on Windows for video: https://handbrake.fr/ and maybe something like XnView for images: https://www.xnview.com/en/ and so on...

But then there's the risks of self-hosted or local software containing something malicious and needing to be audited etc. I recall that in my previous org, I helped develop a Wiki page listing many of the tools available within the company internally, so that anyone who needs to store files could immediately look at self-hosted Nextcloud (for example), as opposed to going for Dropbox or whatever. Of course, instructions alone probably aren't enough, restrictions are also necessary, but discoverability is always good!

That’s where in my post I said “you need to therefore provide a solution”

Yes, you can’t just remove it you need to provide them with the capability to do it.

That's seems like a brilliant business opportunity.

file conversion with corporate friendly terms.

charge a per seat license thats cloud based and easy to use. maybe offer a browser plugin that redirects to your site. go through security department of IT to get it approved.

If it were possible, the biggest business opportunity would be a turnkey, self-hosted file conversion service. The only outbound internet traffic should be for software updates and responding to incoming traffic - and because it's self-hosted, the business could put it behind a firewall and have complete certainty in the privacy of their information, which would be huge. If you had that, plus an all-in-one, easily-deployable browser plugin which overrides standard file conversion websites to force users to the self-hosted business-approved converter (and, preferably, adds a Start Menu link)...
I do think for many organisations this type of solution would be very niche.

Conversion between different work, excel, powerpoint, .PDF formats can be done natively by the software itself.

Heck even the built in image viewer in Windows can convert images between common formats.

The predominant problem is around user education and showing them how to use the tools they have available to them already.

(comment deleted)
A VC backed company would be scanning without remorse but these sites are much smaller and your data has less value than to Google, or facebook or JC Penny or even the New York Times. Their entire functionality is the output of a command line tool. Site probably doesn't even have a database connected and lives off of low paying ads.

Less worried than if Amazon ran one. They would know who it came from; what it means and how to use the information

If the site is really simple and just runs system() on a VPS, chances are that there is no protection against command injection, server takeovers, and worse. So what comes from good intentions might end up causing a lot of harm.

The problem of shadow IT is very real and should best be countered with a healthy amount of education. And whitelisting instead of black listing as the default approach.

Chances are? Very unlikely as these things run in a vm that dies when the request is finished. I would be more worried about the big player who do scan your documents and share with government entities.

People are scared of the[unknown when the known is more likely

> as these things run in a vm that dies when the request is finished

You don't know that. There's absolutely no reason why they need to run that way. They could be literally saving all of your upload files permanently, and running on Linux from 6 years ago with 17 backdoors, and there's no way to know that. There is nothing requiring them to run in a VM - they could easily be colocated bare metal. Dies when the request is finished? PHP works that way, but NodeJS doesn't, and either programming language can easily save your files to any other location like an S3 bucket. Dies when the request is finished is completely irrelevant here.

They can save your files and millions of other files. Then what? Setup a global ad network and use that information to provide targeted ads? My point is these big companies can do a lot more damage. Trust no one online.
Probably. The worst for me are still the "test your password strength" websites though. So painful to explain to end users why it's NOT a good idea to use this.
The good ones calculate pw Strength client-side, so there is nothing to worry about there. Problem, most people don’t know what the good ones are nor how to find them.

Bit warden has a good pw entropy checker.

> most people don’t know what the good ones are nor how to find them.

I've spent a few years working in the information security space, and I'm quite certain that I wouldn't know which ones are "the good ones" and which ones aren't.

If you trust them it technically (legally, things can be different) doesn’t matter much (they need to use https, and there’s the risk of them being hacked) whether it’s done client-side.

If you don’t trust them you’d have to check that they work 100% client-side every time you use such a site, and people don’t know how to do that.

That’s were tools you host yourself (on a server or by locally installing them) make a difference: you have to vet them only when you install or update them, not at every use.

Also, you can restrict the capability to install or update to qualified personnel who should do a better job at security evaluation than your regular employee working under a tight deadline.

Online key or certificate generators too; I once caught a subsidiary of one of the two biggest credit card schemes using PGP keys that they’d generated on a random site somewhere preparing to use it to protect 100M card numbers.

Luckily sanity prevailed in that case. Who knows how often this kind of thing happens silently?

And those QR code generator websites that use a redirect and then get their sales dept in touch if you start using them at scale.
There's one such site that creates a QR code representing a cryptocurrency address. Once it's created it will display your code with right next to it their own wallet address for "donations", labelled in tiny font. Can't imagine how many people scanned the wrong one, even just pointing your phone at the screen can capture the wrong one.

Pretty "genius" idea.

This use of the term 'honeypot' is strange and I have never seen before.

The only honeypot I am familiar with is a defensive security measure.

https://en.m.wikipedia.org/wiki/Honeypot_(computing)

It's the only use I've personally seen. It's become more popular in the privacy/security scene.
It is a strange usage of the term. I suppose it's possible that governments are hosting some of these sites in order to catch people stupid enough to convert child porn or stolen defense documents to different formats.
See also translation websites.
I’ve never ever trusted any of those kind of sites - even sharing document sites raise the same questions. For personal use, ok, for professional use, never!
I've always thought this was a serious risk, and as a result, I don't use them. None of them do anything you can't get a tool to do locally (and without internet access, even) anyway.
That's a bit extreme position. I use them sometimes, when I want to do some niche task and don't want to waste time installing software.

I just assume that every three letter agency in the world will see the files as soon as I upload them, and they will be leaked to the public internet two hours later. But that's OK, because I just sent them a random cat I took picture of.

I don't think it's an extreme position at all, since other solutions are easy to find and get (and they're almost always better).

But I'm in no way saying that everyone should do as I do, I'm just saying that these online services are entirely optional. If anyone is nervous about them, the easy thing to do is to not use them.

This is an area where MacOS, preview and quicktime shine. Except for converting pdf to word, most everything you might need is included. Especially, merging and unmerging pdf files. I never understood why MS doesn't provide similar tools.

On windows, these functions aren't included and for whatever reason, searching the web for tools leads to shady websites and downloads.

LibreOffice does a credible job of PDF to Word on OSX.
Tangentially related to the file converters are yaml and json formatters that are very popular online. I've seen my team open one and just paste away. Who knows what these tools are doing, and even if it was safe one day, the next day it could have been compromised. I'm sure the org has leaked hundreds, maybe thousands of kb by now. At least we don't have PII or any production data. I have an alias that extracts my clipboard, uses jq to format, and puts it back into the clipboard (macos), as an alternative workaround for these web formatters.
Of course.

And RMS has been warning us about this for ages.

My thoughts exactly. Most likely.