HACKER Q&A
📣 gjsman-1000

Is it just me, or could file conversion websites be a honeypot?


Hello,

I'm interested in some thoughts on this. I have nothing to go on but a hunch... but is there any guarantee that popular "file conversion" websites aren't honeypots for sensitive or useful information?

The odds, to me, of some employee running random files through a file conversion website at some point seems terrifyingly high. And some (like https://fabconvert.com/) definitely seem more suspicious than others, lacking any legal entity or trademark I can find. If there were, or are, corrupt file conversion websites out there, it would be the perfect crime. So much so that, if I were running a business, I would not allow employees to touch any such service with a 10-foot-pole - but how often is that cited in training for preventing information leaks?

Thoughts?

  👤 NoPicklez Accepted Answer ✓
I do a lot of work with what you’d call ShadowIT, or the use of unsanctioned applications. I use cloud broker tools which use firewall logs to identify where these websites are being used.

The use of these file conversion tools is very common and is often used on sensitive information. Heck I’ve seen health companies use these tools to upload god knows what.

Usually there is little to no data sovereignty rules that apply, in that by using the service for free that can own the file you upload and use it to glean information from.

Firstly, employees need to be aware that they are not allowed to use this software and you need to therefore provide a solution. You should then use broker tools to actually block these conversion sites, in the same way that you might block the use of Dropbox and other cloud solutions if these are unsanctioned.

Yes you’re absolutely right to question these services and organisations are having to deal with risk associated with using them. Which is only really an issue if it’s sensitive personally identifiable information.

👤 com
Online key or certificate generators too; I once caught a subsidiary of one of the two biggest credit card schemes using PGP keys that they’d generated on a random site somewhere preparing to use it to protect 100M card numbers.

Luckily sanity prevailed in that case. Who knows how often this kind of thing happens silently?

👤 sp332
Yeah, very plausible. And there are cases where it appears some third party has hacked the converter website as well. https://www.zdnet.com/article/dozens-of-online-file-converte...
👤 johnwalkr
This is an area where MacOS, preview and quicktime shine. Except for converting pdf to word, most everything you might need is included. Especially, merging and unmerging pdf files. I never understood why MS doesn't provide similar tools.

On windows, these functions aren't included and for whatever reason, searching the web for tools leads to shady websites and downloads.

👤 gorjusborg
This use of the term 'honeypot' is strange and I have never seen before.

The only honeypot I am familiar with is a defensive security measure.

https://en.m.wikipedia.org/wiki/Honeypot_(computing)

👤 nathanaldensr
I think you know already that any answer you get is pure speculation. Unless the source code is open source and their infrastructure is audited, you'll never know.
👤 JohnFen
I've always thought this was a serious risk, and as a result, I don't use them. None of them do anything you can't get a tool to do locally (and without internet access, even) anyway.
👤 throwaway78678
Probably. The worst for me are still the "test your password strength" websites though. So painful to explain to end users why it's NOT a good idea to use this.
👤 uzername
Tangentially related to the file converters are yaml and json formatters that are very popular online. I've seen my team open one and just paste away. Who knows what these tools are doing, and even if it was safe one day, the next day it could have been compromised. I'm sure the org has leaked hundreds, maybe thousands of kb by now. At least we don't have PII or any production data. I have an alias that extracts my clipboard, uses jq to format, and puts it back into the clipboard (macos), as an alternative workaround for these web formatters.
👤 BenFranklin100
I view it from two angles.

People rarely do anything for free, especially when it comes at a cost to them. Therefore, there is a significant likelihood something nefarious is happening.

On the other hand, there is a high probability the owner of the website would get caught eventually in a sting operation.

The only scenario I can imagine is the website is ad supported. At any rate, I have always avoided these websites out of a fear of the first possibility.

👤 aborsy
Why would anyone provide their files to a random internet website? It’s a security problem.

A lot of formats can be converted locally.

👤 fattybob
I’ve never ever trusted any of those kind of sites - even sharing document sites raise the same questions. For personal use, ok, for professional use, never!
👤 clbrmbr
And those QR code generator websites that use a redirect and then get their sales dept in touch if you start using them at scale.
👤 gadders
See also translation websites.
👤 ipaddr
A VC backed company would be scanning without remorse but these sites are much smaller and your data has less value than to Google, or facebook or JC Penny or even the New York Times. Their entire functionality is the output of a command line tool. Site probably doesn't even have a database connected and lives off of low paying ads.

Less worried than if Amazon ran one. They would know who it came from; what it means and how to use the information

👤 tpoacher
Of course.

And RMS has been warning us about this for ages.

👤 IYasha
My thoughts exactly. Most likely.
👤 litiholofan
Every time I've used one I've thought the same.