"Not Just Hands, Your PDFs Also Need to be Sanitized"

A new study conducted by researchers at the University of Grenoble Alpes found that most organizations and security agencies are not sanitizing Portable Document Format (PDF) files before publishing or sharing them with others. The study involved the analysis of more than 39,000 PDF files published by 75 security agencies from 47 countries. The researchers were able to measure the quality and quantity of information exposed in these PDF files. According to the researchers, these files can be used by malicious actors to find weak links in an organization. For example, cybercriminals could use the PDF files to find out which employees use outdated software. It was discovered that only seven security agencies sanitize their PDF files before publishing. However, the researchers still found sensitive information within 65 percent of the sanitized PDF files. Some agencies are using inadequate sanitization methods. Proper sanitization requires removing hidden sensitive data from the PDF file, not just information considered important. The National Security Agency (NSA) has provided a list of the different types of hidden data and embedded content that may be contained by PDF files such as scripts, metadata, attached files, stored interactive form data, obscured images, and more. This article continues to discuss findings from the study on the sanitization of PDF files by security agencies, the concept of PDF sanitization, the low adoption of this practice, the types of hidden data found in such files, and the levels of sanitization listed by the NSA. 

CISOMAG reports "Not Just Hands, Your PDFs Also Need to be Sanitized"