Hardly a company or government agency exists that does not use PDF files. And they often use digital signatures to ensure the authenticity of such documents. When you open a signed file in any PDF viewer, the program displays a flag indicating that the document is signed, and by whom, and gives you access to the signature validation menu.
So, a team of researchers from several German universities set out to test the robustness of PDF signatures. Vladislav Mladenov from Ruhr-Universität Bochum shared the team’s findings at the Chaos Communication Congress (36С3).The researchers’ task was simple: Modify the contents of a signed PDF document without invalidating the signature in the process. In theory, cybercriminals could do the same to impart false information or add malicious content to a signed file. After all, clients who receive a signed document from a bank are likely to trust it and click on any links in it. The team selected 22 popular PDF viewers for various platforms, and systematically fed them the results of their experiments.
First, the team tried to add extra sections to the file with another incremental update using a text editor. Strictly speaking, that’s not an attack — the team simply used a function implemented by the creators of the format. When a user opens a file that’s been modified in this way, the PDF reader usually displays a message saying that the digital signature is valid but the document has been modified. Not the most enlightening message, especially not for an inexperienced user. Worse, one of the PDF viewers (LibreOffice) did not even show the message.
The next experiment involved removing the two final sections (that is, adding an update to the body, but not the new Xref and trailer). Some applications refused to work with such a file. Two PDF viewers saw that the sections were missing and automatically added them without notifying the reader about a change in content. Three others swallowed the file without any objection.
Next, the researchers wondered what would happen if they simply copied the digital signature into their own “manual” update. Two more viewers fell for it — Foxit and MasterPDF. In total, 11 of the 22 PDF viewers proved vulnerable to these simple manipulations. What’s more, six of them showed absolutely no signs that the document opened for viewing had been modified. In the other five cases, to reveal any sign of manipulation, the user had to enter the menu and check the validity of the digital signature manually; simply opening the file was insufficient.
The summary results table shows that no fewer than 21 of the 22 PDF viewers could be hoodwinked. That is, for all but one of them, it is possible to create a PDF file with malicious content or false information that looks valid to the user.