In 2009 I found a pretty obvious security flaw in Sheridan Printing’s submission management system. It allows anyone to view and modify all papers in the conference proceedings of many major computer science conferences prior to printing and publication.
Over the last two years I have continuously tried to get this problem fixed silently – without success. Therefore, I publish the issue now, giving authors the chance to make informed decisions.
In this blog post I describe the problem, explain its possible consequences, and propose ways to fix this issue.
Who is Sheridan Printing?
(skip this if you have already dealt with Sheridan Printing)
In computer science, conferences are a very important venue for publishing original research.
Preparing conference proceedings and uploading the papers to the ACM digital library is a lot of work, especially for large conferences like CHI.
Sheridan Printing is a full service company that take care of the whole workflow from camera-ready manuscript to printed and digital proceedings.
They do this quite well, giving authors valuable feedback on typographic problems.
Sheridan Printing services many large and small ACM conferences, e.g. CHI, UIST, TEI, ITS, WWW, and many other conferences.
Sheridan comes into play once your paper gets accepted for the conference. Then you have to upload a PDF version of your paper to their submission system and add metadata like ACM classification categories or author details. Additionally, they urge you to also upload your MS Word .doc or TeX source file.
Some time after I got the acceptance notification for a paper at TEI 2010, Sheridan Printing sent me a link to a login form, where I should enter my paper ID, “p123” (slightly changed). It looked like this:
The very first moment that I saw this login form, I could not believe my eyes. The only barrier between me and the submission details of an arbitrary paper seemed to be this ‘secret’ submission ID. An ID that consisted of a static prefix and the number my paper had been assigned when I submitted my paper for review.
To anyone that has the faintest idea of information security, it should be obvious that this form does not provide any authentication.
I tried out other submission IDs, starting at ‘p100’, incrementing. After a few tries I found another valid submission ID. The submission system showed me all details for this paper and even allowed me to submit a new version of the other paper.
The forms look like this:
Spending a few hours with the system I found out:
- You can do a brute-force attack, interating through all possible IDs. The server does not rate-limit requests.
- For many conferences, Sheridan Printing offers detailed formatting instructions, also detailling the format of the submission ID (e.g. ACM WWW). You do not even have to guess possible prefixes.
- You can change the author’s e-mail address. All notifications caused by changing the submission will be sent to this address now. The original author is not notified about the changed e-mail address and will never know that you are messing with her paper.
- You can change all submission details.
- All files that you upload to the system can be accessed by anyone. The naming scheme is easily guessable.
- You can upload new camera-ready versions.
- Changes can only be made during a short timeframe of about one or two weeks. Once Sheridan Printing receives the ACM copyright transfer form, no changes to submissions are possible anymore. However, PDF and source files remain accessible.
So, what could you do with this information?
- You can see abstracts, paper authors, and even the camera-ready paper long before it is being published. You might do this to satisfy your curiosity. You might also use this information to prepare a new research project, giving you a time advantage over most competitors.
- You might scavenge the .tex and .doc source files for interesting comments (I found a number of them). These might be notes to co-authors (“I’ve tidied up the data, now it is statistically significant. Yay!”) or ideas for future work that the authors did not yet want to divulge. Again, you get an advantage over competitors.
- In countries where patents are granted on a ‘first to file’ basis, you may try to get patents on all inventions presented in the yet-unpublished papers.
- You can change author names, abstract or references. Adding another author like ‘Ike Antkare’ might go unnoticed until the conference. Of course, you can also make yourself (or someone you don’t like) first author of all papers.
- You can upload a blank or nonsensical paper instead of the original one. This might get caught by Sheridan Printing staff, however. Be subtle.
- You can severely damage someone’s credibility: You download the original source file of their submission (the PDF will do, too), change some details in it, and upload it again. For example, put a plagiarized paragraph into the paper, and pretend to notice this plagiarism at the conference. If your victims are not well known in the community, probably noone will believe their claims that they did not submit this paper.
I’m sure there are many additional ways someone could exploit this security hole.
Certainly, there are many authors who know about this issue.
Trying to get the issue fixed
As soon as I had verified this security issue, I sent an e-mail to my submission coordinator at Sheridan Printing, essentially telling them everything mentioned above, and proposing ways to fix the issue. This was on 11. December 2009.
After inquiring again a few days later, I got the following terse response on 15. December 2009:
This is being addressed by the programmers, my supervisors, and the IT dept at ACM.
Hey, if so many people are working on this issue right now, this should be fixed in no time, right?
Sheridan Printing did not respond to further e-mails. The issue did not get fixed.
Over the last two years, I was able to reproduce this issue with only minor changes.
I notified the conference chairs of several medium and major ACM HCI conferences about this issue.
The general response was something like
Oh my god, that’s bad. Sheridan should get this fixed. Please do not tell anyone about this, you would be causing problems for your fellow authors.
So, everyone agreed that there was a serious security issue here, but noone did have the time or power to do anything about it.
Thus, in April 2010 I contacted an ACM SIGCHI Vice President. After a while I got a response like
Yes, there is a security issue. We are already in the process of changing the workflow for paper submissions. This is a complex issue. The new workflow will be implemented for ACM CHI 2011. Please keep silent.
And silent I kept. I did not get a paper accepted at CHI 2011, so I did not have to use the submission system. However, I assumed that the issue had indeed been fixed after almost a year.
In the meantime, Jöran Beel independently discovered the security issue and wrote a blog post about this. It seems to have gone largely unnoticed. I only found it yesterday.
Jöran mentioned that the security hole had been fixed. This is evidently not the case…
This year, we got a paper accepted at UIST 2011. In August 2011 I received an e-mail from Sheridan Printing, asking me to upload the camera-ready paper to their submission system.
Of course, I checked out whether this almost two years old bug had been really fixed.
Twenty minutes later, I knew the authors and abstracts of all upcoming UIST papers.
I downloaded 43 camera-ready PDFs, 11 .doc and 14 .tex source files.
So, yes, this security hole ist still wide open after two years and several inquiries from at least two researchers.
I contacted both the ACM SIGCHI Vice President and Sheridan Printing.
Only Sheridan Printing replied:
I have requested clarification from our programmer and sent this to our supervisor to respond.
Seems, everyone is again working day and night to fix the issue. I have not yet received an update on whether they were successful this time.
I have learned a few things:
- Sheridan Printing does not really seem to care about the security of the authors who have to use their system.
- Many conference organizers agree that this is a serious issue, but do not have the time or power to get it fixed.
- ACM SIGCHI seems to depend so much on Sheridan Printing that they do not want to press this issue.
- I guess, I have done pretty much all I can do in this regard. Obviously, keeping silent so far has not helped in getting the issue fixed.
So, what can you do?
I have done pretty much everything I could to get this security hole fixed. It’s your turn now.
If you are asked to submit your camera-ready paper to this system, you might want to ask the papers chair to manually handle your submission outside of this system. I have done so on one occasion. This actually causes the papers chair some work, increasing the chance that he will take the issue seriously.
If you are a papers chair at an ACM conference that uses Sheridan Printing’s submission system, you might want to ask them about the security issue.
If you are a programmer at Sheridan Printing: please, just send authors private URLs with a secret token for changing submission details and uploading the camera-ready paper. It is really that easy.
If you think my concerns are completely unwarranted, please tell me so in the comments.
If you have questions, please ask.
Update 09. September 2011, 08:30 UTC
@keithinstone @ProfessorHook yes, it is bad. Sheridan is an ACM contractor. So sigchi can’t do a lot abt it.
Update 12. September 2011, 09:30 UTC
Please see Scooter Morris’ (ACM SIGCHI VP Conferences) comment below. At least for most SIGCHI-sponsored conferences, this security issue should become irrelevant next year.
Update 13. September 2011, 16:00 UTC
Please read Joe Konstan’s comment below. It seems the issue had already been fixed in July.
This might also be a good time to write a preliminary conclusion. From the reactions to this blog post I have learned the following:
- Some researchers suffer from worse security holes. 🙂
- Indeed, a majority of authors seems to have been unaware of the Sheridan Printing security issue.
- As James Landay pointed out on Twitter, he notified Sheridan Printing of this issue back in 2004, almost eight years ago, and Sheridan explicitly refused to fix it. So, one the one hand, this means that Sheridan Printing really sucks.
- On the other hand, it seems that quite a number of authors have been aware of this security issue for several years, and have seen that the issue was not going to be resolved. Actually, I learned that this security hole has been regularly exploited by some people for downloading unpublished papers.
- Except for Jöran Beel’s account from 2010, I could not find any public mention of the issue. So, not everyone who encountered the issue seems to have been inclined to do something about it.
Hopefully, our community’s reaction to scientific fraud would be more immediate…