14 DAY TRIAL // Christian Kienle, the developer of several Mac apps, including Core Data Editor and Store News, claims to have discovered a security flaw in Preview.app, the default image and PDF viewer in Apple’s Mac OS X.
A cut-to-the-chase video demonstration by Christian (embedded below the text) reveals the flaw could actually be quite serious.
Preview offers you the ability to select an area of the PDF page / image and copy it.
You can then paste it in a new document and everything will show as expected. However, by using the Rotate gesture on a MacBook’s trackpad or by clicking View > PDF Display > Media Box (as noted by one of Christian’s followers), the rest of the data that wasn’t contained in the selection appears.
“I am making this issue public so that every user can find out about it and is able to prevent bad things from happening with their (private) data,” Christian writes. “In addition to that I have already reported this issue to Apple,” he adds.
Some of those commenting on his finding believe this is not a security issue with Apple’s Preview application, but rather a technical issue with PDF files.
Sadly, every second in Christian’s video demonstration screams security flaw, and Apple will have to act swiftly.
This may be done either with a dedicated software update that patches this particular bug only, or via a few extra lines of code added in the next incremental updates to Mac OS X.
Since the flaw affects not only OS X Lion but Snow Leopard too (no confirmation yet on whether Leopard users are affected), Apple will probably include a fix in both OS X 10.7.2 (Lion) and OS X 10.6.9 - the forthcoming maintenance update for Snow Leopard users currently being tested internally.
Christian’s advice is to make sure you don’t use the cut & paste feature in Preview to pass on information, should it concern a document that contains data you would otherwise like to keep for yourself.
Don't forget to share your thoughts with us in the comments.
Privacy issues with PDFs created using Preview.app from Ebbinghaus on Vimeo.