Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

New Injection Technique Exposes Data in PDFs

Security researchers on Thursday documented and described a new injection technique capable of extracting sensitive data from PDF files.

Security researchers on Thursday documented and described a new injection technique capable of extracting sensitive data from PDF files.

“One simple link can compromise the entire contents of an unknown PDF,” researcher Gareth Heyes warned during a presentation at the Black Hat Europe security conference.

The new code-injection technique essentially allows hackers to inject code to launch dangerous XSS (cross-site scripting) attacks within the bounds of a PDF document.

PDF, short for Portable Document Format, is the de-facto standard for document sharing among businesses.    The format is widely used with airline tickets, boarding passes and other documents that typically contain passport numbers, home addresses, bank account details and other valuable private data.

Heyes, a researcher at web application security testing firm PortSwigger, warned that malicious hackers are capable of injecting PDF code to “escape objects, hijack links, and even execute arbitrary JavaScript” inside PDF files.

He explained that the problem is caused because vulnerable PDF libraries do not properly parse code — specifically parentheses and backslashes, exposing PDF files to danger.  

Heyes tested the technique on several popular PDF libraries and confirmed two popular libraries were vulnerable to the exploitation technique — PDF-Lib (52,000 weekly downloads) and jsPDF (250,000 downloads).   

“You’ll learn how to create the “alert(1)” of PDF injection and how to improve it to inject JavaScript that can steal the contents of a PDF on [multiple] readers,” he said in a blog post.

Advertisement. Scroll to continue reading.

Heyes found that he could exfiltrate the contents from PDFs to a remote server using a rigged URL.  “Even PDFs loaded from the filesystem in Acrobat, which have more rigorous protection, can still be made to make external requests,” he warned, demonstrating how he successfully crafted an injection that can perform an SSRF attack on a PDF rendered server-side. 

“I’ve also managed to read the contents of files from the same domain, even when the Acrobat user agent is blocked by a WAF,” he said, noting that the attack also allows malicious hackers to steal the contents of a PDF without user interaction.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.