Unveiling Font Security Risks: Canva’s Investigation Exposes Surprising Vulnerabilities in Typeface Choices
Canva, a leading graphic design platform, has conducted an in-depth investigation revealing unforeseen vulnerabilities in font security and underscoring the potential cybersecurity pitfalls associated with selecting inappropriate typefaces. In their report titled “Fonts are still a Helvetica of a Problem,” Canva delves into three critical vulnerabilities, shedding light on the often-overlooked realm of security threats linked to fonts.
In an effort to fortify the security of its tools, Canva scrutinized fonts as less-explored attack surfaces crucial to graphics processing. The initial vulnerability, labeled CVE-2023-45139, was unearthed in FontTools, a Python library for font manipulation.
Exploiting this flaw during the processing of an SVG table to subset a font exposed an XML External Entity (XXE) vulnerability, posing a substantial security risk. FontTools promptly addressed the issue, releasing a patch just three days after being notified in September 2023.
The subsequent vulnerabilities, CVE-2024-25081 and CVE-2024-25082, both rated at 4.2/10, were linked to naming conventions and font compression. Canva identified potential command injection risks when handling filenames in tools like FontForge and ImageMagick. Swift action has been taken to address both vulnerabilities and mitigate potential security threats.
Canva’s report emphasizes the necessity for IT professionals to treat fonts as untrusted input, advocating for the adoption of sandboxing techniques and tools like OpenType-Sanitizer to protect against potential attacks. The collaborative efforts of open-source font software and tool maintainers are acknowledged for their timely response to emerging security concerns.
While the exploration of font security is not entirely novel, Canva’s findings underscore the heightened relevance and severity of potential consequences in the face of evolving cyber threats. With Google having delved into similar issues almost a decade ago, Canva’s call to pay attention to less obvious attack surfaces serves as a prudent recommendation amid the current cybersecurity landscape.