Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

New Attacks Show Signed PDF Documents Cannot Be Trusted

Many popular PDF viewers and online validation services contain vulnerabilities that can be exploited to make unauthorized changes to signed PDF documents without invalidating their signature, researchers have warned.

Many popular PDF viewers and online validation services contain vulnerabilities that can be exploited to make unauthorized changes to signed PDF documents without invalidating their signature, researchers have warned.

A team of researchers from the Ruhr-University Bochum in Germany has analyzed 22 desktop applications (including their Windows, Linux and macOS versions) and 7 online validation services.

PDF signatures, which rely on cryptographic operations, are widely used by organizations around the world to ensure that their documents are protected against unauthorized modifications. Many governments sign their official documents, researchers often sign scientific papers, and major companies such as Amazon are known to sign documents such as invoices. If a signed document has been changed, its signature should become invalid.

PDF signature spoofingHowever, the researchers from Ruhr-University Bochum have demonstrated that a vast majority of PDF viewers and online validation services are vulnerable to at least one of the three PDF signature spoofing attack methods they have identified.

The experts showed that an unauthorized user could leverage various techniques to make changes to a PDF document without invalidating its signature.

The list of vulnerable applications includes Adobe Reader, Foxit Reader, LibreOffice, Nitro Reader, PDF-XChange and Soda PDF, which are some of the most popular PDF readers. The list of affected validation services includes DocuSign, eTR Validation Service, DSS Demonstration WebApp, Evotrust, and VEP.si.

The only application that was not vulnerable to at least one type of attack was Adobe Reader 9 running on Linux, while the only non-vulnerable online service was the 5.4 version of the DSS Demonstration WebApp. The researchers have been working with CERT-Bund, Germany’s governmental CERT, to notify impacted vendors and provide them the information needed to address the issues. While some online services have yet to roll out patches, all of the companies providing PDF viewing apps have released fixes.

The three attack methods identified by researchers have been named Universal Signature Forgery (USF), Incremental Saving Attack (ISA), and Signature Wrapping Attack (SWA).

Advertisement. Scroll to continue reading.

In the case of USF, an attacker can manipulate meta information in the signature so that the application used to open the altered PDF finds the signature, but not the data needed for validation. Despite the missing information, the signature is still showed as valid by some applications, such as Acrobat Reader DC and Reader XI.

The ISA attack, which affects many of the tested apps and services, leverages a legitimate feature in the PDF specification. This feature allows files to be updated by appending changes, such as storing annotations or adding new pages to the document. An attacker can modify a document by making changes to an element that is not part of the signature integrity protection.

Finally, the SWA attack, which impacts many PDF apps and some online validation services, forces the signature verification logic to process different data by “relocating the originally signed content to a different position within the document and inserting new content at the allocated position.”

The researchers have published a paper and created a dedicated website, both of which contain the technical details of the attacks.

Related: Attackers Use Steganography to Obfuscate PDF Exploits

Related: PDF Files Can Silently Leak NTLM Credentials

Related: Code Execution Flaws Patched in Foxit PDF Reader

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.