Canva Uncovers Critical Font Vulnerabilities, Exposes Cybersecurity Risks

Canva, the popular graphic design platform, announced the results of its security research on digital fonts. The company’s investigation revealed three previously unknown vulnerabilities (CVEs) in popular tools used for font processing and manipulation. These flaws underscore the often overlooked security risks associated with fonts and the need for heightened precautions.

The Problem with Fonts

The dialogue around font security is not new. Historical efforts, such as those by Google’s Project Zero, have highlighted vulnerabilities within font processing, leading to significant advancements like the OpenType Sanitizer project. However, as Canva’s investigation reveals, the potential for security issues in font handling extends beyond previously understood memory corruption bugs, encompassing a broader spectrum of vulnerabilities.

Canva’s research has identified that the SVG format, known for its web security challenges, intersects with font technology in unexpected ways. The SVG table within font formats like OpenType and TrueType, and the deprecated SVG fonts, represent innovative but potentially vulnerable methods of integrating color and design into typography. These findings prompt a reevaluation of SVG and XML handling vulnerabilities within the realm of font processing.

Key Findings:

• XML Vulnerability in FontTools: FontTools, a widely used Python library, was found to be susceptible to XML External Entity (XXE) attacks when processing SVG tables within certain font formats. This could allow attackers to steal sensitive data (CVE-2023-45139). Through a proof of concept, Canva demonstrated how malicious XML payloads could be crafted to extract sensitive information, exemplifying the potential risks associated with this vulnerability.

• Command Injection in FontForge: Popular font editing software FontForge was found to be vulnerable to command injection attacks due to mishandling of archive file names. This opens the door to potentially malicious code execution (CVE-2024-25081 and CVE-2024-25082)

What You Should Do

• Font Security is Paramount: Treat fonts with the same caution as any untrusted input. Implement sandboxing, utilize sanitizing tools, and stay updated on the latest vulnerabilities.
• Patching is Essential: Software developers and maintainers must prioritize patching font-related tools to mitigate discovered vulnerabilities.

Quotes from Canva’s Security Team:

“It can be difficult for maintainers to handle security problems, so having security engineers provide patching can speed up the process and build rapport with the open source community,” the researcher emphasizes.

Call to Action

Canva’s research underscores the need for continued scrutiny and secure practices in the realm of font security. Greater collaboration between the security community and software developers is crucial to protecting users and systems from potential attacks.