In 2009 I found a pretty obvious security flaw in Sheridan Printing’s submission management system. It allows anyone to view and modify all papers in the conference proceedings of many major computer science conferences prior to printing and publication.
Over the last two years I have continuously tried to get this problem fixed silently – without success. Therefore, I publish the issue now, giving authors the chance to make informed decisions.
In this blog post I describe the problem, explain its possible consequences, and propose ways to fix this issue.
Who is Sheridan Printing?
(skip this if you have already dealt with Sheridan Printing)
In computer science, conferences are a very important venue for publishing original research.
Preparing conference proceedings and uploading the papers to the ACM digital library is a lot of work, especially for large conferences like CHI.
Sheridan Printing is a full service company that take care of the whole workflow from camera-ready manuscript to printed and digital proceedings.
They do this quite well, giving authors valuable feedback on typographic problems.
Sheridan Printing services many large and small ACM conferences, e.g. CHI, UIST, TEI, ITS, WWW, and many other conferences.
The Flaw
Sheridan comes into play once your paper gets accepted for the conference. Then you have to upload a PDF version of your paper to their submission system and add metadata like ACM classification categories or author details. Additionally, they urge you to also upload your MS Word .doc or TeX source file.
Some time after I got the acceptance notification for a paper at TEI 2010, Sheridan Printing sent me a link to a login form, where I should enter my paper ID, “p123” (slightly changed). It looked like this:
Notice anything?
The very first moment that I saw this login form, I could not believe my eyes. The only barrier between me and the submission details of an arbitrary paper seemed to be this ‘secret’ submission ID. An ID that consisted of a static prefix and the number my paper had been assigned when I submitted my paper for review.
To anyone that has the faintest idea of information security, it should be obvious that this form does not provide any authentication.
I tried out other submission IDs, starting at ‘p100’, incrementing. After a few tries I found another valid submission ID. The submission system showed me all details for this paper and even allowed me to submit a new version of the other paper.
The forms look like this:
Spending a few hours with the system I found out:
- You can do a brute-force attack, interating through all possible IDs. The server does not rate-limit requests.
- For many conferences, Sheridan Printing offers detailed formatting instructions, also detailling the format of the submission ID (e.g. ACM WWW). You do not even have to guess possible prefixes.
- You can change the author’s e-mail address. All notifications caused by changing the submission will be sent to this address now. The original author is not notified about the changed e-mail address and will never know that you are messing with her paper.
- You can change all submission details.
- All files that you upload to the system can be accessed by anyone. The naming scheme is easily guessable.
- You can upload new camera-ready versions.
- Changes can only be made during a short timeframe of about one or two weeks. Once Sheridan Printing receives the ACM copyright transfer form, no changes to submissions are possible anymore. However, PDF and source files remain accessible.
Not nice.
The Consequences
So, what could you do with this information?
- You can see abstracts, paper authors, and even the camera-ready paper long before it is being published. You might do this to satisfy your curiosity. You might also use this information to prepare a new research project, giving you a time advantage over most competitors.
- You might scavenge the .tex and .doc source files for interesting comments (I found a number of them). These might be notes to co-authors (“I’ve tidied up the data, now it is statistically significant. Yay!”) or ideas for future work that the authors did not yet want to divulge. Again, you get an advantage over competitors.
- In countries where patents are granted on a ‘first to file’ basis, you may try to get patents on all inventions presented in the yet-unpublished papers.
- You can change author names, abstract or references. Adding another author like ‘Ike Antkare’ might go unnoticed until the conference. Of course, you can also make yourself (or someone you don’t like) first author of all papers.
- You can upload a blank or nonsensical paper instead of the original one. This might get caught by Sheridan Printing staff, however. Be subtle.
- You can severely damage someone’s credibility: You download the original source file of their submission (the PDF will do, too), change some details in it, and upload it again. For example, put a plagiarized paragraph into the paper, and pretend to notice this plagiarism at the conference. If your victims are not well known in the community, probably noone will believe their claims that they did not submit this paper.
I’m sure there are many additional ways someone could exploit this security hole.
Certainly, there are many authors who know about this issue.
Trying to get the issue fixed
As soon as I had verified this security issue, I sent an e-mail to my submission coordinator at Sheridan Printing, essentially telling them everything mentioned above, and proposing ways to fix the issue. This was on 11. December 2009.
After inquiring again a few days later, I got the following terse response on 15. December 2009:
Sir
This is being addressed by the programmers, my supervisors, and the IT dept at ACM.
XXXXX
)*(
Sheridan Printing
Hey, if so many people are working on this issue right now, this should be fixed in no time, right?
Sheridan Printing did not respond to further e-mails. The issue did not get fixed.
Over the last two years, I was able to reproduce this issue with only minor changes.
I notified the conference chairs of several medium and major ACM HCI conferences about this issue.
The general response was something like
Oh my god, that’s bad. Sheridan should get this fixed. Please do not tell anyone about this, you would be causing problems for your fellow authors.
So, everyone agreed that there was a serious security issue here, but noone did have the time or power to do anything about it.
Thus, in April 2010 I contacted an ACM SIGCHI Vice President. After a while I got a response like
Yes, there is a security issue. We are already in the process of changing the workflow for paper submissions. This is a complex issue. The new workflow will be implemented for ACM CHI 2011. Please keep silent.
And silent I kept. I did not get a paper accepted at CHI 2011, so I did not have to use the submission system. However, I assumed that the issue had indeed been fixed after almost a year.
In the meantime, Jöran Beel independently discovered the security issue and wrote a blog post about this. It seems to have gone largely unnoticed. I only found it yesterday.
Jöran mentioned that the security hole had been fixed. This is evidently not the case…
This year, we got a paper accepted at UIST 2011. In August 2011 I received an e-mail from Sheridan Printing, asking me to upload the camera-ready paper to their submission system.
Of course, I checked out whether this almost two years old bug had been really fixed.
…
…
…
Twenty minutes later, I knew the authors and abstracts of all upcoming UIST papers.
I downloaded 43 camera-ready PDFs, 11 .doc and 14 .tex source files.
So, yes, this security hole ist still wide open after two years and several inquiries from at least two researchers.
I contacted both the ACM SIGCHI Vice President and Sheridan Printing.
Only Sheridan Printing replied:
Raphael,
I have requested clarification from our programmer and sent this to our supervisor to respond.
XXXX
)*(
Sheridan Printing
Seems, everyone is again working day and night to fix the issue. I have not yet received an update on whether they were successful this time.
Conclusions
I have learned a few things:
- Sheridan Printing does not really seem to care about the security of the authors who have to use their system.
- Many conference organizers agree that this is a serious issue, but do not have the time or power to get it fixed.
- ACM SIGCHI seems to depend so much on Sheridan Printing that they do not want to press this issue.
- I guess, I have done pretty much all I can do in this regard. Obviously, keeping silent so far has not helped in getting the issue fixed.
So, what can you do?
I have done pretty much everything I could to get this security hole fixed. It’s your turn now.
If you are asked to submit your camera-ready paper to this system, you might want to ask the papers chair to manually handle your submission outside of this system. I have done so on one occasion. This actually causes the papers chair some work, increasing the chance that he will take the issue seriously.
If you are a papers chair at an ACM conference that uses Sheridan Printing’s submission system, you might want to ask them about the security issue.
If you are a programmer at Sheridan Printing: please, just send authors private URLs with a secret token for changing submission details and uploading the camera-ready paper. It is really that easy.
If you think my concerns are completely unwarranted, please tell me so in the comments.
If you have questions, please ask.
Edit: added links to Sheridan Printing
Edit 2: fixed a typo, put ACM response in blockquotes.
Update 09. September 2011, 08:30 UTC
On Twitter, Ed Chi, Co-Program Chair for CHI 2012 responds:
@keithinstone @ProfessorHook yes, it is bad. Sheridan is an ACM contractor. So sigchi can’t do a lot abt it.
Update 12. September 2011, 09:30 UTC
Please see Scooter Morris’ (ACM SIGCHI VP Conferences) comment below. At least for most SIGCHI-sponsored conferences, this security issue should become irrelevant next year.
Update 13. September 2011, 16:00 UTC
Please read Joe Konstan’s comment below. It seems the issue had already been fixed in July.
This might also be a good time to write a preliminary conclusion. From the reactions to this blog post I have learned the following:
- Some researchers suffer from worse security holes. 🙂
- Indeed, a majority of authors seems to have been unaware of the Sheridan Printing security issue.
- As James Landay pointed out on Twitter, he notified Sheridan Printing of this issue back in 2004, almost eight years ago, and Sheridan explicitly refused to fix it. So, one the one hand, this means that Sheridan Printing really sucks.
- On the other hand, it seems that quite a number of authors have been aware of this security issue for several years, and have seen that the issue was not going to be resolved. Actually, I learned that this security hole has been regularly exploited by some people for downloading unpublished papers.
- Except for Jöran Beel’s account from 2010, I could not find any public mention of the issue. So, not everyone who encountered the issue seems to have been inclined to do something about it.
Hopefully, our community’s reaction to scientific fraud would be more immediate…
Reflected Total Internal Frustration 
Adrienne
/ September 9, 2011Yeah, it’s a bad bug in terms of sabotage. But the other claims seem overstated. Many authors share their camera readies prior to official printing and publication; I’ve got one on my website right now, and it’s pretty standard. I also routinely get requests for papers as soon as the list of accepted papers are out and I freely agree to share with them. I don’t think therefore that anyone has any motivation to get a “head start” by messing with Sheridan…
raphaelwimmer
/ September 9, 2011Thank you for commenting.
I agree that I do not know why or how someone might exploit this security issue. I wanted to give a thorough overview of possibilities. Certainly, some exploits are more likely than others.
I am always happy to share my research and have never turned down a request for one of my papers.
However, there is a huge difference between someone asking me for a paper and someone stealing it from a private repository.
Actually, several authors I contacted about a copy of their papers in the past asked me to wait for the conference proceedings to appear for various reasons.
However, for me, the real issue is not the number of bad things that could be done, but the amount of time it takes to fix such an obvious bug.
MC
/ September 9, 2011The amount of time to fix might be related to the importance and risk of the bug. In other words, Sheridan probably believe that this bug is a very low risk and an attack would result in little damage. So it’s cheaper to wait for the attack and deal with the cleanup than to fix the code.
Raphael Wimmer
/ September 9, 2011@MC:
Yes, it is not clear, how great the risk is. I guess that a number of people are secretly downloading papers, but noone has yet manipulated a submission.
However, fixing this bug seems pretty trivial.
Personally, I would not want to deal with a company that pretty much ignores security issues.
Considering Sheridan Printing’s non-response to multiple reports, I fear that other systems and processes are quite vulnerable, too.
Given that thousands of authors have used this system in the past, I guess that a much larger number of authors were aware of this exploit than just me and Jöran.
Maybe, Sheridan should check their server logs and find out how often this issue has been exploited.
Scooter Morris
/ September 9, 2011Hi Raphael,
As I said initially, we *are* working to position ourselves to that the Sheridan web site is nowhere in the process for any SIGCHI-sponsored conference. For CHI 2011 it was extremely rare for an author to have to go through the Sheridan system. For CHI 2012, we will ask Sheridan not to enable the system at all. We anticipate that all SIGCHI conferences will move to the new system in 2012. Any SIGCHI conference can use the new system (submitting all content, including final content to PCS), but our experience in CHI 2011 pointed out some problems that we really wanted to get fixed. It turns out that there are a number of “magic” scripts that Sheridan has implemented on behalf of ACM to smooth transition into the DL, and we’ve got to duplicate all of those in PCS.
In any case, the problem is solved for the CHI conference, and will be solved for all SIGCHI conferences with submission deadlines in 2012. For non-SIGCHI sponsored conferences, the security issues remain and I fully agree they really, really, need to be resolved.
— scooter
John “Scooter” Morris
SIGCHI VP Conferences
Raphael Wimmer
/ September 9, 2011Thank you for the clarification.
I’m very happy that SIGCHI is working on this issue.
As you said, a good number of other conferences will still be vulnerable to this issue.
I still hope that Sheridan acknowledges and fixes this bug.
Joseph A. Konstan
/ September 12, 2011Thanks for this post — it led me to ask a bunch of questions (as a still-relatively-new member of the ACM Publications Board, and a conference chair). I’m quite happy with the responses I received (from ACM’s directors of publications and information systems:
1. The problem is now fixed. Instead of a form where you enter the paper number, authors are now sent a link where they enter a few pieces of information and this results in an email request to Sheridan staff. Sheridan staff then generates a link containing encrypted parameters that allows the author to make changes / uploads as before. There is no longer an entry point into the system where an author can enter a paper number directly.
2. This fix went live in late July, but conferences that were already open didn’t see the changes (because changes to a live conference are tricky). Instead, ACM and Sheridan put in place a “manual back-up plan” of checking submissions for malice — as far as I know, none was detected.
While there could have been more communication about what was going on, it seems like the right thing happened — the risk was ameliorated for open conferences by having a manual check, and in the meantime the system was fixed for future conferences.