A security issue in the certification signatures of PDF documents has been discovered by researchers at Ruhr-Universität Bochum. This special form of signed PDF files can be used, for instance, to conclude contracts. Unlike a normal PDF signature, the certification signature permits certain changes to be made in the document after it has actually been signed. This is necessary to allow the second contractual party to also sign the document. The team from the Horst Görtz Institute for IT Security in Bochum showed that the second contractual party can also change the contract text unnoticed when they add their digital signature, without this invalidating the certification. The researchers additionally discovered a weakness in Adobe products that enables attackers to implant malicious code into the documents.
Simon Rohlmann, Dr. Vladislav Mladenov, Dr. Christian Mainka and Professor Jörg Schwenk from the Chair for Network and Data Security are presenting the results at the 42nd IEEE Symposium on Security and Privacy, which is taking place as an online conference from 24 to 27 May 2021. The team has also published the results on the website https://pdf-insecurity.org.
24 out of 26 applications affected
When using certification signatures, the party who issues the document and signs it first can determine which changes the other party can then make. For instance, it is possible to add comments, insert text into special fields, or add a second digital signature at the bottom of the document. The Bochum group circumvented the integrity of the protected PDF documents with two new attacks – called Sneaky Signature Attack (SSA) and Evil Annotation Attack (EAA). The researchers were thus able to display fake content in the document instead of the certified content, without this rendering the certification invalid or triggering a warning from the PDF applications.
The IT security experts tested 26 PDF applications, in 24 of which they were able to break the certification with at least one of the attacks. In eleven of the applications, the specifications for PDF certifications were also implemented incorrectly. The detailed results have been published online (https://pdf-insecurity.org/signature/evaluation.html#security-evaluation-certification-attacks-2021).
Malicious code can be implanted into Adobe documents
Simon Rohlmann, Vladislav Mladenov, Christian Mainka, Jörg Schwenk: Breaking the specification: PDF certification, 42nd IEEE Symposium on Security and Privacy, online conference, 2021
Paper download: https://pdf-insecurity.org/download/pdf-certification/paper.pdf
Chair for Network and Data Security
Horst Görtz Institute for IT Security
Phone: +49 234 32 26740
General queries can also be submitted via the email address team(at)pdf-insecurity.org.
Further contact details can be found on the attack website.
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.