Optical Society of America's Prism Information Leak

2014.08.15
Credit: Peter Wiedekind
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Optical Society of America's peer-review system can leaks reviewers' usernames Hi, the Optical Society of America uses an article tracking system called "Prism" [1] to manage the submissions of authors and the comments of the reviewers. Reviewers can upload their reviews as MS Word or PDF documents. Under certain circumstances, when an MS Word document is converted to PDF on the reviewer's computer, the username of the reviewer is embedded into the XMP metadata of the resulting PDF document as a dc:creator element. However, the article tracking system does not seem to know about XMP metadata in PDF documents and only clears the author field in the regular PDF metadata, thus leaving the dc:creator field for the author of the reviewed paper to see, potentially revealing the reviewer's identity. Note that a malicious reviewer could of course easily fake the user name field. Since the leak can only be seen when a paper is submitted and reviewed, I could not do a study on how many reviews are affected. Best regards, Peter Wiedekind


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top