Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Craig Hale

Using the wrong font could be a major security problem — and possibly not for the reason you might think

Fonts.

An investigation by Canva deep dive into the world of font security has uncovered three unexpected vulnerabilities and revealed how choosing the wrong font could spell out a cybersecurity disaster.

In an effort to enhance the security of its tools, Canva has been researching less-explored attack surfaces, including fonts, which play an integral part in graphics processing.

A trio of vulnerabilities have been highlighted in a report entitled “Fonts are still a Helvetica of a Problem", with Canva ultimately declaring that the font landscape is actually quite rich in attack surfaces.

Canva is concerned about the font you use

The first vulnerability, tracked as CVE-2023-45139, was discovered in FontTools, a Python library for manipulating fonts. Canva found that when processing an SVG table to subset a font, FontTools could use an untrusted XML file, leading to an XML External Entity (XXE) vulnerability.

The researchers abused this vulnerability to produce a subsetted font containing an SVG table with an /etc/passwd payload. FontTools released a patch three days after being notified of the vulnerability in September 2023.

The other two vulnerabilities, CVE-2024-25081 and CVE-2024-25082, both rated at 4.2/10, were associated with naming conventions and font compression. Canva found the potential for command injection when dealing with filenames in tools like FontForge and ImageMagick. Both have also been addressed.

Acknowledging the timely work of open-source font software and tool maintainers, Canva noted that IT workers should “treat fonts like any other untrusted input” by implementing sandboxing and using tools like OpenType-Sanitizer.

This isn’t the first time that font security has been raised, with Google exploring similar issues nearly a decade ago, however with the increased prevalence and more severe consequences of cyber attacks, Canva’s recommendation that we pay attention to less obvious attack surfaces is a mighty sensible one.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.