A New Hack Can Sidestep the Security That PDF Readers Promise

Researchers have invented a new hack to break the encryption of PDF files and access their content. The hack can even forge signed files under specific circumstances—a perfect nightmare for businesses and private users alike. A team from Ruhr University Bochum, FH Munster University of Applied Sciences and Hackmanit GmBh developed an attack called PDFex. The team published a report online detailing how the attack breaks PDF signatures and PDF encryption.

Flex targets two types of applications- online validation services (used by businesses) and commonly used desktop applications. According to researchers this PDFex attacks encryption is supported by the PDF standard rather than protection applied to a PDF document from another source. The researchers were able to access PDF file content in 21 out of 22 desktop-viewer applications and five out of seven validation services. Adobe Acrobat, Firefox, and Chrome’s built-in PDF readers are some of the PDF viewers vulnerable to PDFex attacks.

Security Researcher for Network and Data Security at Ruhr University Bochum Jens Mueller said, “PDFex abuses weaknesses in the PDF encryption standard itself to perform targeted manipulations through the encryption.” For password-protected PDFs, the attacker can manipulate parts of a PDF file without needing the password but only after the victim has opened the file.

In the other technique, a PDFex attack can use a signed PDF document and create a new document with arbitrary content in the name of signed user. Researchers warned that nearly all PDF desktop viewers and online validation services are vulnerable to such attacks.

“There are currently no effective countermeasures, as the weaknesses lies in the PDF encryption standard itself,” Mueller told Threatpost via an email-based interview. “As mitigation, companies can use additional layers of encryption such as TLS for data in-transfer and hard disk encryption for data at-rest instead of solely relying on PDF document encryption. Note that this is a good security practice anyway,” said Mueller.