Academics from Ruhr University Bochum have proven that the majority of popular PDF viewer apps and online digital signature validation services can be tricked into validating invalid signatures or validating signatures on documents that have been modified after having been signed.
Digitally signed PDF documents are accepted and provided by governmental authorities, are admissible in court, can be used for tax reporting, signing scientific papers, official business documents, and more.
The researchers developed three classes of attacks on PDF signatures:
- Universal Signature Forgery (USF) – The attacker can disable signature verification by providing invalid content within the signature object or removing the references to the signature object, and the document/signature shows as valid.
- Incremental Saving Attack (ISA) – The attacker can make an incremental saving on the document by redefining the document’s structure, all without invalidating the signature.
- Signature Wrapping (SWA) – The attacker can relocate the originally signed content to a different position within the document and insert new content at the allocated position, all without invalidating the signature.
More technical details about the Portable Document Format (PDF), PDF signatures and the attacks they devised are provided in this vulnerability report.
They are unsure about the root cause of the vulnerabilities that permitted these attacks because most of the applications they tested are closed-source.
Nevertheless, they believe that it’s either because the PDF specification is very vague about signatures and on how to validate them or because the analyzed readers are very tolerant about opening, validating and showing malformed PDF files.
The good news for all of us is that, with the help of the Computer Emergency Response Team for German federal agencies (BSI’s CERT-Bund), they’ve quietly disclosed their findings to the developers of the affected applications and services, which have proceeded to plug the holes before they were publicly revealed.
The researchers tested their attacks against 22 desktop PDF viewers (Adobe Reader, Foxit Reader, LibreOffice, Master PDF Editor, etc.) and seven online services, including DocuSign and Evrotrust. 21 of the 22 desktop viewers and five out of seven online validation services were found to be vulnerable.
Users of the latter don’t have to do anything to mitigate the risk of being targeted via one of these attacks, but those who use one of the vulnerable desktop viewers should make sure that they’ve upgraded to a fixed version.
Another good news is that the researchers aren’t aware of any exploits using their attacks.