Researchers Crack Digital PDF Signatures

Academics at the Ruhr-University Bochum in Germany have cracked the digital signatures used in Adobe’s PDF format, saying their exploits allowed them to alter documents while the signatures appeared to remain valid.

The academics said they were able to use three exploit variants that enabled them to modify documents in such a way that most desktop PDF readers and online verification tools were fooled.

They said 21 of the 22 desktop PDF readers were vulnerable, and five of the seven online PDF signing services were affected.

The vulnerable applications include Adobe’s Acrobat Reader, Foxit Reader and LibreOffice, while online services DocuSign and Evotrust were amongst those that were affected.


Document security

PDFs are increasingly used by businesses and governments in place of paper documents, and digital signatures – which verify a document’s provenance and that it has remained unaltered – play an important role in ensuring the security of those documents.

Start-up DocuSign, which went public in April of last year, is one of the better-known companies capitalising on the increasing demand for secure digital signatures.

In 2016 the company standardised electronic signatures across the EU, taking advantage of new EU regulations on digital signatures that came into force that year.

The three attack techniques are called Universal Signature Forgery (USF), Incremental Saving Attack (ISA) and Signature Wrapping Attack (SWA), with the first involving the manipulation of the signature’s metadata.

The second attack uses a legitimate feature of the PDF specification, which allows updates to a PDF file, to essentially hide the existing document and create a new one, while the Signature Wrapping Attack involves tricking the signature-verification logic into processing falsified data.

“With our attacks, we can use an existing signed document… and change the content of the document arbitrarily without invalidating the signature,” the researchers wrote in an advisory published on a website dedicated to the PDF vulnerabilities.

They said that, for instance, an Amazon Germany invoice could be falsified to indicate a $1 trillion (£750bn) refund without compromising the invoice’s signature.

Patches available

The researchers said they began examining PDF signatures early last year and in October began contacting the vulnerable vendors, in cooperation with Germany’s Computer Emergency Response Team, BSI-CERT.

The affected vendors have now patched the issues and released updates, so that the latest versions are not vulnerable to the signature hacks, the researchers said.

The vulnerabilities affected Mac, Windows and Linux platforms, they said.

Researchers Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe and Jörg Schwenk said they were not aware of current exploits using their attacks.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

SoftBank Promises To Invest $100bn In US

Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…

6 hours ago

Synopsys, SiMa.ai To Collaborate On AI Car Chips

Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…

6 hours ago

AI Start-Up Basis Raises $34m For Accountancy Agent

Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…

7 hours ago

Databricks Raises $10bn In Huge AI Funding Round

Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…

7 hours ago

Congo Files Complaints Against Apple Over Conflict Minerals

Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…

8 hours ago