Can You Accept LaTeX Files from Strangers? Ten Years Later

It is well-known that Microsoft Word/Excel compatible documents or PDF files can contain malicious content. LaTeX files are unfortunately no exception either. LaTeX users often include third-party codes through sources or packages (.sty or .cls files). But those packages can execute malicious commands on the users' system, in order to capture sensitive information or to perform denial of service attacks. Checkoway et al. [3] were the first to warn LaTeX users of these threats. Collaborative cloud-based LaTeX editors and services compiling LaTeX sources are particularly concerned. In this paper, we have created a LaTeX package that collects system data and hides them inside the PDF file produced by the target. Then, we have measured what can be recovered by hackers using malicious LaTeX file on online services, and which measures those services have enforced to thwart the threats. Services defend themselves using sandbox or commands restrictions. Commands restrictions are more difficult to setup and we found one service (PMLatex) which is too permissive.