Researchers faked signatures on 21 of 22 desktop PDF viewer apps and 5 out of 7 online PDF digital signing services.
A team of academics from the Ruhr-University Bochum in Germany say they've managed to break the digital signing system and create fake signatures on 21 of 22 desktop PDF viewer apps and five out of seven online PDF digital signing services.
This includes apps such as Adobe Acrobat Reader, Foxit Reader, and LibreOffice, and online services like DocuSign and Evotrust --just to name the most recognizable names.
The five-person research team has been working since early October 2018 together with experts from Germany's Computer Emergency Response Team (BSI-CERT) to notify impacted services.
At the end of this article are images showing which PDF apps and web-based PDF signing services were vulnerable and to what of the three vulnerabilities.
"If you use one of our analyzed Desktop Viewer Applications you already should have got an update for your reader," researchers said. Users who haven't installed any updates to their PDF apps lately should look into updating their client to prevent it from loading forged digitally signed PDF docs. The web services listed in the report fixed the issues by applying server-side fixes.
"Currently, we are not aware of any exploits using our attacks," researchers said.