Cybersecurity researchers have disclosed two new attack techniques on certified PDF documents that could potentially enable an attacker to alter a document’s visible content by displaying malicious content over the certiﬁed content without invalidating its signature.
“The attack idea exploits the flexibility of PDF certification, which allows signing or adding annotations to certified documents under different permission levels,” said researchers from Ruhr-University Bochum, who have systematically analyzed the security of the PDF specification over the years.
The findings were presented at the 42nd IEEE Symposium on Security and Privacy (IEEE S&P 2021) held this week.
The two attacks — dubbed Evil Annotation and Sneaky Signature attacks — hinge on manipulating the PDF certification process by exploiting flaws in the specification that governs the implementation of digital signatures (aka approval signature) and its more flexible variant called certification signatures.
Certification signatures also allow different subsets of modifications on the PDF document based on the permission level set by the certifier, including the ability to write text to specific form fields, provide annotations, or even add multiple signatures.
images from Hacker News