Are Online File-Conversion Services Safe?

At Quora, I occasionally play, “Ask the expert”. Hundreds of my Quora answers are linked at the top right. Today, I was asked if it is safe to use free, online services that convert between file formats. For example, many web services allows you to upload a JPEG image and get back a PNG file. Others convert between DOC and PDF, or between popular video or audio formats.

Some of these services include additional processing. For example, stringing separate images together into a single animated GIF file—or rotating pages and adding a password within a PDF file. If you don’t have a locally installed program that does these things, is it safe to use these free, online services?

And what about the apps that you download and install? These present separate risks! But, with a little common sense, you can figure out which ones you can trust…


The short answer: It depends on the file type. A JPEG file that is processed via an online service is safe. SVG is not.*

A More Complete Answer…

There are three factors that relate to the safety of free online file converters:

  1. Is the target file type passive? That is, is it a data-only file that you will open with your own application. But watch out!

    Most—but not all—media formats (files that store pictures, music or video), cannot contain malicious code, unless you are tricked into opening them with the wrong program. Most of these formats simply direct your application to present pictures to your screen or audio signals to the speakers, without launching other apps or executing code that reads or writes to your device. But there are exceptions. Some popular formats support scripts, which are a form of program instructions. And, rarely, you may even be susceptible to execution of a data only file.*

    In my opinion, JPEG files are safe (including .jpg and .jiff file extensions). So are bmp, gif, mp3, avi, and mp4 files. But svg, doc and pdf files are not necessarily safe! These file formats permit javascript or other code which can be activated when you attempt to open the file. Therefore, if you use a service to create SVG, DOC or these other file types, be sure that you use your own applications to open it, and that you have configured your application to restrict execution on files that are downloaded from the Internet.

  2. Is there anything sensitive in your source material? (i.e. is your file confidential or embarrassing?). If so, it will be in the hands of strangers for all time. Do not use an online service to convert the file—nor even to store it, unless it is first encrypted on your device.
  3. Is there possibility of misdirection or error during the process? That is, could you be tricked into uploading the wrong file or revealing more information than you intended? For example, with deceptive tactics, a web service might slip you a routine that fools with your file associations. Now, a file ending with .JPG is no longer interpreted as an image, but contains an active and malicious threat.

Most Important: Never accept options that offers an upload manager, browser plug-in or “assistant”. These are programs over which you have no control! They often contain malware that threatens your data and your entire network. Helper apps and plug-ins should only be installed from rock-solid sources, such as the maker of your operating system or browser (Apple, Microsoft, Google) or from highly reputable, open-source projects.

Disambiguation: That last warning is about apps installed on your device, rather than online services. But, how can a non-techie be secure in their decision to download or install an app? Here is way to think about your options and safety: The maker of your app should fall into one of these two categories:

  • The vendor has a lot to lose if they fail to fully vet the context and security of an executable. This is typically true of large, audited, publicly funded companies like Adobe, Citrix or Google. (Being big does not inherently make them trustworthy, but it makes them very careful to verify their claims against internal practices).
  • —OR— The executable is offered via a reputable open source community with a broad base of technical and critical developers. It helps if developers are rewarded for finding and reporting bugs.

Online file conversion services fail these tests—But they are not locally installed apps. Remember, these last two tests are intended for apps that you plan to install, whereas online file-conversion services simply process data and return it to you. So to protect yourself from file-conversion programs that you download and install, you must ensure that they don’t install or interact with your other applications and data.

One way of ensuring this is to run in a sandbox or protected environment (as if you maintained a separate PC for use only with file conversions). The more practical way is to educate yourself on the vendor’s practices, reputation and history. A dedicated file conversion utility should interact only with files you select—and only to generate passive content that you open with your own applications.


* Even data-only files can be exploited. For example, malware can use a “buffer overrun” weakness to treat some of the music or photo data in your files as executable program code. But don’t worry. Although this might seem impossible to defend, such opportunistic exploits are unlikely if you have good antivirus protection, and if allow your trusted applications to update regularly.

Additional reading about SVG file format:

Ellery reads all feedback. 1st comment delayed for moderation