Everyone has seen memes about the impact of using the wrong font on graphic design. However, the potential for a misinterpreted word or phrase isn’t nearly as detrimental to your business when considering how a font can create cybersecurity risks.
You might be thinking, “How could a font possibly be a security problem? It’s just a different typeface.” It’s easy to underestimate the importance of font security because finding and using fonts is so common and simple. Unfortunately, according to a new report from the design website Canva, not doing your diligence when downloading fonts could open the door to breaches, malware, and other security problems.
Common Vulnerabilities in Fonts
Because fonts are a critical element of Canva’s design tools, the company investigated the threat landscape to determine whether open-source fonts are a concern. The deep dive revealed several critical areas of concern:
- A vulnerability in FontTools, a Python library used to manipulate fonts, allowed hackers to exploit it to create a font that can collect passwords.
- A vulnerability in some tools allowed hackers to inject malware by exploiting naming conventions.
- A similar problem with font compression in the tools created openings for malware.
As soon as Canva identified these issues, the creators and maintainers of the open-source software tools issued patches to eliminate these vulnerabilities. However, this doesn’t mean there aren’t other unaddressed issues or there won’t be future problems, underscoring the importance of font security for IT personnel and anyone who uses downloadable fonts.
Other Concerns About Fonts
It’s worth noting that font security isn’t a new concern, as companies have experienced font-driven attacks in the past. While it’s possible to find safe, downloadable open-source fonts online, the files could contain viruses or other harmful code.
Hackers use fonts to launch spoofing attacks, for example. A normal-looking font could contain code that infects your system. Criminals also use fonts to trick users into downloading malware: a website might suddenly become unreadable, for instance, and direct you to download a fake file to fix the issue.
Fonts can also be a tool for launching phishing attacks and thwarting anti-spam or other security software.
Implement Protection From Font-Related Security Risks
It’s critical to educate employees about the importance of font security and establish clear policies and guidelines about downloading and using fonts.
Stop costly breaches, malware, and other issues by:
- Only allowing employees to download and use fonts from approved sources with the proper security protocols in place.
- Using tools for validating and sanitizing the files to reduce the attack surface.
- Sandboxing font downloads to check for malware before installing them.
Fonts might not be an obvious attack surface, making them appealing to hackers. Being aware of the risk and the importance of font security, and taking steps to mitigate it, can protect your company from significant consequences.
