Hypertext 2010 Security Hole: All papers downloadable and editable by anyone (2 month before conference start)
In June the ACM Hypertext 2010 will take place in Toronto. Some days ago I wanted to upload the camera ready versions of three papers being accepted at the conference. And... I was surprised. By email I got a link to a web page (namely http://www.sheridanprinting.com/acm/sigweb-ht/sigweb-ht.cfm?id=ht104, http://www.sheridanprinting.com/acm/sigweb-ht/sigweb-ht.cfm?id=ht105, and http://www.sheridanprinting.com/acm/sigweb-ht/sigweb-ht.cfm?id=ht121) on which I could upload my camera ready papers, specify the authors, keywords, etc. No password or other kind of authorization had to be entered. Now, guess what. I played around with the URL and tried, for instance, to open the following URLs in my browser. http://www.sheridanprinting.com/acm/sigweb-ht/sigweb-ht.cfm?id=ht100 http://www.sheridanprinting.com/acm/sigweb-ht/sigweb-ht.cfm?id=ht107 You can probably guess what happened: I could edit the details (and see the private email addresses the primary authors provided) and upload PDF files for the other papers being accepted at Hypertext just by changing the URL. That means, I could have added or modified the author list, changed the title or uploaded a modied PDF. The screenshot shows the user interface on which I could have changed the data for the paper "Dealing with the Video Tidal Wave: The Relevance of Expertise for Video Tagging" by Sara Darvish and Alvin Chin (here is a list of all papers being accepted at Hypertext 2010)