In June the ACM Hypertext 2010 will take place in Toronto. Some days ago I wanted to upload the camera ready versions of three papers being accepted at the conference. And… I was surprised. By email I got a link to a web page (namely
,
, and
on which I could upload my camera ready papers, specify the authors, keywords, etc. No password or other kind of authorization had to be entered. Now, guess what. I played around with the URL and tried, for instance, to open the following URLs in my browser.
You can probably guess what happened: I could edit the details (and see the private email addresses the primary authors provided) and upload PDF files for the other papers being accepted at Hypertext just by changing the URL. That means, I could have added or modified the author list, changed the title or uploaded a modied PDF.
The screenshot shows the user interface on which I could have changed the data for the paper “Dealing with the Video Tidal Wave: The Relevance of Expertise for Video Tagging” by Sara Darvish and Alvin Chin (here is a list of all papers being accepted at Hypertext 2010)
But it comes even better. After submitting my camera ready papers I was provided with a link to check the uploaded PDF file ). Again, I played around with the URL and yes, I could also download all the already uploaded PDFs of other authors. That means: Two month before the conference takes place anybody could have accessed all the papers that are going to be presented at Hypertext 2010 and published by ACM. The screenshot shows the PDF of “Dealing with the Video Tidal Wave: The Relevance of Expertise for Video Tagging” by Sara Darvish and Alvin Chin, one of the PDFs I had access to. To be honest, I had not the time to read any of the papers (although I downloaded some of them). But I am pretty sure that authors are not happy about the idea that someone can read their papers two months before publication and could either publish the PDFs on the Web or even worse, steal their ideas and results. Imagine, someone presents a method in his paper he is currently about to fill a patent application for. Usually he would have time to submit the application before the day the conference starts. But now… well.
Important to mention is that this is probably not the immediate fault of ACM or Hypertext. The website for uploading the papers is offered by Sheridan Printing who, btw. , fixed the security problem within 24 hours after I reported it. But I wonder has anybody experience similar things with conferences?
Two side nodes:
1. As stated, Sheridan Printing fixed the problem by removing the website completely. Maybe not the most elegant solution but definitely the most safe one ;-).
2. I wrote that I could access all papers which is not exactly true. Actually, I could access only those papers whose authors adhered to the naming guidelines, i.e. ht{paperID}-{lastname}.pdf. PDFs of authors who named their files differently were not that easy accessible as I did not know the file name.
2 Comments
Sheridan Printing considered harmful « Reflected Total Internal Frustration · 7th September 2011 at 21:48
[…] the meantime, Jöran Beel independently discovered the security issue and wrote a blog post about this. It seems to have gone largely unnoticed. I only found it yesterday. Jöran mentioned that the […]
Tweets that mention SciPlore Blog » Blog Archive » Hypertext 2010 Security Hole: All papers downloadable and editable by anyone (2 month before conference start) -- Topsy.com · 26th April 2010 at 12:45
[…] This post was mentioned on Twitter by Bertalan Meskó, MD. Bertalan Meskó, MD said: a security hole in the submission system of one of the major conferences in computer science http://ff.im/-jdQO2 […]