Flaws in PDF Document Apps Allow Alterations

A research team found vulnerabilities in PDF document apps which would allow hackers to manipulate its content.

Security flaws in applications are nothing new. Some flaws are easier to exploit than others, and some are more detrimental if exploited than others. But one thing remains the same: All of them are a problem. No matter where the flaw is, if it’s happening in anything your business uses, it’s a problem. A research team out of Ruhr-University Bochum in Germany discovered security flaws in PDF document apps that could allow a bad actor to manipulate certified documents.

The researchers presented their findings at this year’s IEEE Symposium on Security and Privacy.  The symposium, all-virtual due to COVID-19 restrictions, is an annual event that “has been the premier forum for presenting developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field.” The 2021 Symposium will mark the 42nd annual meeting of this flagship conference. There are two specific attacks are outlined on their blog, which names them Sneaky Signature Attack (SSA) and the Evil Annotation Attack (EAA). Both exploits manipulate the PDF certification process via flaws in the file’s specification, which is the guarantee that the document is from a trustworthy source.

From here, bad actors can get inside the certification process. Hackers can then alter the document’s visible content without raising any red flags. “The attack idea exploits the flexibility of PDF certification,” the team says. “Our practical evaluation shows that an attacker could change the visible content in 15 of 26 viewer applications by using EAA and in 8 applications using SSA by using PDF specification compliant exploits.”

Patches for these flaws already exist, so if your business is using PDF documents, it’s important to ensure the applications are updated. One may question why a hacker would go through this process to modify a contract, but let’s also ask why do criminals do anything? They don’t need a reason, and if they are getting into your sensitive documents, what else are they getting into? Exploiting a flaw in a PDF document could give a threat actor that one sliver of access they needed. How can they use that to manipulate systems or people to escalate further access?

Manipulation of corporate contracts may not seem like a valuable target, but sometimes all it takes is one disgruntled person to take drastic measures, and all they care about is causing problems for a business. Not to mention that sensitive information is contained within these documents, and potentially legitimate (not electronic) signatures.

These flaws, while seemingly a miniscule problem on the surface, highlight just how integrated security has to be in everything you do. Business leaders must pay attention to their security and ensure that security has layers. Every system you run, every storage method and application you use should be secured as tightly as possible. This means that even when a flaw is found that is unlikely to be exploited, you still fix that flaw. You don’t want to be the business that got hacked through a PDF.

As always, if you’re uncertain, don’t have time or even if you think you know what you’re doing, it’s always smart to bring in an expert to review your security information and processes. Even if you trust your team to be thorough, they will usually miss something simply because their eyes are used to seeing it. A third-party review is always a good idea.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY