Many popular PDF viewers and online validation services contain vulnerabilities that can be exploited to make unauthorized changes to signed PDF documents without invalidating their signature, researchers have warned.
A team of researchers from the Ruhr-University Bochum in Germany has analyzed 22 desktop applications (including their Windows, Linux and macOS versions) and 7 online validation services.
PDF signatures, which rely on cryptographic operations, are widely used by organizations around the world to ensure that their documents are protected against unauthorized modifications. Many governments sign their official documents, researchers often sign scientific papers, and major companies such as Amazon are known to sign documents such as invoices. If a signed document has been changed, its signature should become invalid.
However, the researchers from Ruhr-University Bochum have demonstrated that a vast majority of PDF viewers and online validation services are vulnerable to at least one of the three PDF signature spoofing attack methods they have identified.
The experts showed that an unauthorized user could leverage various techniques to make changes to a PDF document without invalidating its signature.
The list of vulnerable applications includes Adobe Reader, Foxit Reader, LibreOffice, Nitro Reader, PDF-XChange and Soda PDF, which are some of the most popular PDF readers. The list of affected validation services includes DocuSign, eTR Validation Service, DSS Demonstration WebApp, Evotrust, and VEP.si.
The only application that was not vulnerable to at least one type of attack was Adobe Reader 9 running on Linux, while the only non-vulnerable online service was the 5.4 version of the DSS Demonstration WebApp. The researchers have been working with CERT-Bund, Germany’s governmental CERT, to notify impacted vendors and provide them the information needed to address the issues. While some online services have yet to roll out patches, all of the companies providing PDF viewing apps have released fixes.
The three attack methods identified by researchers have been named Universal Signature Forgery (USF), Incremental Saving Attack (ISA), and Signature Wrapping Attack (SWA).
In the case of USF, an attacker can manipulate meta information in the signature so that the application used to open the altered PDF finds the signature, but not the data needed for validation. Despite the missing information, the signature is still showed as valid by some applications, such as Acrobat Reader DC and Reader XI.
The ISA attack, which affects many of the tested apps and services, leverages a legitimate feature in the PDF specification. This feature allows files to be updated by appending changes, such as storing annotations or adding new pages to the document. An attacker can modify a document by making changes to an element that is not part of the signature integrity protection.
Finally, the SWA attack, which impacts many PDF apps and some online validation services, forces the signature verification logic to process different data by “relocating the originally signed content to a different position within the document and inserting new content at the allocated position.”
The researchers have published a paper and created a dedicated website, both of which contain the technical details of the attacks.
Related: Attackers Use Steganography to Obfuscate PDF Exploits
Related: PDF Files Can Silently Leak NTLM Credentials
Related: Code Execution Flaws Patched in Foxit PDF Reader

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
- New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
