←back to thread

Security issues with electronic invoices

(invoice.secvuln.info)
91 points todsacerdoti | 1 comments | 12 Dec 25 20:28 UTC | HN request time: 0.341s | source
Show context
moffkalast ◴[12 Dec 25 20:53 UTC] No.46248794[source]
How can there be security issues with a public document? Can't you just sign it with a cert like any other piece of data that needs a proven source?

But also let me get this straight, there is an actual EU standard for invoices? Why the does nobody follow this and I have to keep asking people to put the fucking VAT ID onto it like I'm a broken record?

replies(3): >>46248862 #>>46248866 #>>46248986 #
1. Analemma_ ◴[12 Dec 25 21:08 UTC] No.46248986[source]
The concern is that a malicious vendor could send you an evil invoice where the XML either references external entities that get downloaded and allow potential RCE, or where the document contains references to the local execution environment which allow data exfiltration (or both). In theory a properly-secured XML parser shouldn't allow this, but history has shown that's harder than you might think.