tips
You almost certainly know the situation when a friend or colleague sends you files in a format you can’t open. For example, you asked for photos, expecting JPEGs or PNGs, but instead they arrive in HEIC format. What do most people do in this case? That’s right, they look for a free online file-converter.
If you’re a long-time reader of our Kaspersky Daily blog, you probably already know that the most popular method of doing most anything is hardly ever the safest. File conversion is no different. Let’s figure out together what threats are lurking inside free online-converters, and find out how to change file format safely.
Why is this important? Because converting a file is not simply a matter of changing its extension — otherwise you could just rename the file from, say, EPUB to MP3. Instead, the converter program must read the file, understand what it contains, convert the data and re-save it in a different format — and each of these stages poses its own threats.
Personal data leakage, malware, and other threats
The first risk that springs to mind is personal data leakage. Even if you’re a “who on earth needs my data?” kind of person, you should still take care: your vacation snaps may be of no use to anyone, but confidential work documents are a different kettle of fish. When you upload a file to an online converter, you can never be sure that the site won’t save a copy of your file for its own purposes. Uploaded data can easily end up in the hands of scammers, and even be used to launch an attack on your company. And if you get fingered as the intruders’ entry point into the corporate network, your infosec team will hardly be thanking you.
If you think this threat applies solely to text or spreadsheet documents, and that a photo of some accounting statement can be safely uploaded and converted to PDF, think again. Optical character recognition (OCR) was invented last century, and now, with AI, even mobile Trojans have learned to extract data of interest to attackers from photos in your smartphone gallery.
Another common risk is malware infection. Some dubious converter sites may modify your files or add malicious code to the converted file — and without reliable protection you won’t know about it until it’s too late. The converted files may contain scripts, Trojans, macros, and other nasty stuff we’ve covered in detail many times.
Converter sites may also be phishing, so services asking you to register, enter a load of personal data, and buy a subscription just to convert a file from, say, PDF to DOC, should be eyed with suspicion. If you still plan to use an online converter, look for one that doesn’t require registration, and never give it your payment details.
How to convert files locally
The safest way is to convert files locally; that is, on your own device without using third-party sites. This way, the data is guaranteed to remain confidential — at least until you connect to the internet. You can change a file’s format using either system tools or popular programs.
For text and spreadsheet files, as well as presentations, Microsoft Office can help. It can read many file formats using the File → Open or File → Import commands (depending on the version of Office and the operating system), and save them in different formats using the File → Save as → Save as type (or File format) or File → Export commands. The list of available formats is long: from PDF and HTML to the OpenDocument standard.
If you don’t have access to Microsoft products, you can use the free alternatives LibreOffice and OpenOffice, which also support various text and table file formats. On Windows, text documents can also be converted in a built-in WordPad editor, although it reads far fewer file types.
For macOS users, Apple’s office applications (Pages, Numbers, Keynote) recognize and save documents in many different formats.
As for graphics files, things are even simpler. Built-in operating-system tools can help convert images from PNG to JPEG. On Windows, just use this command in Paint: File → Save as. macOS users don’t even need to open any programs — just right-click the image in Finder and select Quick Actions → Convert Image. The window that opens gives you a choice of format (PNG, JPEG, HEIF) and converted image size.
If the above conversion options aren’t enough — for example, you’re handling audio/video files or specific file formats — look for offline tools with a solid reputation as free and open-source software (FOSS).
For video (and many audio) formats, check out Handbrake (Windows, macOS, Linux) and Shutter Encoder (Windows, macOS, Linux); for audio, try Audacity, and for images, ImageMagick (Windows, macOS, Linux).
Most multimedia converters simply add a graphical interface to FFmpeg, perhaps the top tool for converting multimedia formats. Its only drawback (which for some is a plus) is that it only works from the command line.
If you’re fine with the command line, FFmpeg is the obvious choice (but, being fine, you’ve probably got it installed already). Another great choice for command line fans is Pandoc — a versatile converter of text and markup formats. Incidentally, under Extras on the Pandoc website, you can find many third-party utilities for adding a graphical interface to this converter, or embedding it in other editors, services, or even operating systems.
All of the above converters are FOSS (free and open-source software), and support at least the most popular operating systems: Windows, macOS, Linux.
When choosing other offline converters, make sure that the conversion really does take place locally — many tools simply provide an interface to online converters and still send your source files to a server. This is very easy to check by disconnecting from the internet before converting. If the tool doesn’t work, it’s not an offline converter.
How to convert files online as safely as possible
Sometimes there’s no avoiding online converters — for example, you were sent a file in some highly exotic or outdated format. The next section looks at how to minimize threats when converting files online.
Alas, it’s impossible to guarantee confidentiality when using an online converter. Its creators can write whatever they want in the site’s policies, but you’ll never know what actually happens to your uploaded data. Therefore, the golden rule is: never convert sensitive information online.
If you have a Google account (and who doesn’t?), you can upload the file you want to convert to Google Drive (most office formats are accepted), right-click, and open it in Google Docs/Sheets/Slides, then download it in a different format. Among the pluses, this method also works on mobile devices — although in this case it’s more convenient to open the file in the relevant Google editing tool.
Another fairly safe way to convert either text or graphics files is Adobe’s online converter. You can even use it for free on a smartphone — but there’s a catch: all uploaded data gets stored on Adobe’s servers, making this method unsuitable for confidential files.
Follow these rules to ensure maximum safety when converting files online:
- Use reputable online converters.
- Open the converter site in a new browser window in Incognito mode; this will reduce the amount of information collected about you — but not down to zero.
- Use a reliable VPN to hide your real IP address from the converter site.
- Review the online converter’s privacy policy to understand how your data will be handled. Make sure the service does not collect, store, or transfer information without your consent — or at least claims not to.
- Check that the files for conversion do not contain confidential information.
- Scan the converted files with an antivirus. Be very wary if the converter site wants you to download the result in an archive — especially a password-protected one, since this is the most common way to conceal a virus from security software. If you don’t have any protection software on your device (heaven forbid), you can scan the downloaded file using our online file checker.
- Avoid unverified sites that require registration and payment details.
Unzip this
Lastly, a small life-hack that few people know about. Sometimes you don’t need to convert a file to another format at all, but just extract information from it; for example — pull images out of a text document or presentation in their original format. Doing this even with native editors is usually time-consuming and inconvenient — you have to export the images one by one, and the editors might change their size or compress them, deteriorating the picture quality.
But there’s a way round this. The secret is that files of many formats are nothing more than a compressed folder with subfolders that store “pieces of the puzzle”: text, images, embedded videos, and the like. And it’s all zipped. That means that almost all office-suite files are ZIPs with the extension changed to DOCX, PPTX, PAGES, etc.
To extract all the contents from this “archive”, you simply need to rename the file, changing its extension to ZIP, and then unzip it. The result will be a folder with subfolders in which all the “ingredients” of the original document are neatly laid out.
So, if you come across an unknown file format, first of all scan it for viruses with a reliable security solution, then make a copy of it, change the extension to ZIP (in macOS, if the file extension is hidden, you may need to press ⌘+I to change it), and try to unzip the file — in many cases this will work. Next, have a rummage around in the resulting folder — you’ll find all sorts of goodies!
