With the help of certified signatures, PDFs can be digitally signed by two contractual partners. After the first signature, however, it should theoretically no longer be possible to make any changes to the content. However, researchers at the Bochum Horst Görtz Institute for IT Security have now developed two attack methods with which exactly that should be possible.
Also interesting: UX Pope Nielsen: PDFs remain a usability GAU
Actually, the party can , which issues a PDF with a certified signature and signs it first, specify which changes the contractual partner can then make. The whole thing is intended so that the contractual partner can, for example, fill out individual fields, add comments or even add their own signature. However, the scientists also managed to change the content without invalidating the certification.
“The attack idea exploits the flexibility of PDF certification, which allows certified documents to be signed or annotated with different authorization levels. Our practical evaluation shows that an attacker was able to change the visible content in 15 of 26 viewer applications, ”write the researchers, who have now publicly presented their study at the IEEE Symposium on Security and Privacy.
Researchers exploit loophole in PDF specifications and errors in implementation
Specifically, the scientists took advantage of the possibility of placing signature elements on top of the actual document text in order to change its content. However, the potential victim may notice this change as the signature information is displayed when the document is opened. Using a second trick, however, the researchers were able to hide this signature information and thus further camouflage the manipulation.