Researchers have recently discovered security flaws in PDFs that could allow an intelligent hacker to manipulate or surreptitiously deflect the content of certified documents. While the vulnerabilities in question have already been fixed by most reader applications, the new reservationarch provides a weird look at how online goons can mess with your docs, they should be so inclined.
The flaws were discovered by academic researchers with the Ruhr-German University Bochum and were recently presented this year. IEEE Symposium on Security and Privacy.
Security experts share two specific exploits on his blog-Dubbing them the Sneaky Signature Attack (SSA) and the Evil Annotation Attack (EAA). In both cases, the exploitation depends on the manipulation the PDF certification process via defects in the specification of the specimen. The specification governs the process and certification of the digital signature – which is the process by which a document receives the approval stamp to be sourced from a reliable and secure source.
Through these flaws, hackers can enter the certification process, allowing documents to be signed or otherwise modified via annotations or other modifications. Exploits allow a malicious actor to “significantly alter the visible content of a certified document without raising any warnings,” such as the researchers say.
“The idea of attack leverages the flexibility of PDF certification,” they extrapolate. “Our practical assessment shows that an attacker could change the visible content in 15 of 26 viewer applications using EAA and in 8 applications that use SSA using exploits compliant with PDF specifications.”
Of course, why a hacker would want to go into trouble to do this is a little unclear. Want, uh, to inject a new clause into someone’s corporate contract, or maybe manipulate a CEO’s signature to make them look like a grmans of penmanship? I think in some disturbing, hypothetical scenario, this tactic could be used as a distant form of defamation — perhaps inserting offensive and / or bizarre content into a document to make its author look bad. While it seems like a lot of trouble to go when the Internet is a real treasure trove of random character killer methods, you never know!
Whether or not this is a practical attack for anyone to use, expect to hear bitcoin people explain why we need the blockchain.