Sponsored By

Digital Signatures Can Be Forged in PDF Docs

Researchers in Germany have figured out three different ways to forge digital signatures in PDF documents.

Larry Loeb

March 1, 2019

3 Min Read

Researchers at the Ruhr-University Bochum in Germany have figured out three different ways to forge digital signatures in PDF documents.

The fakes will be treated as genuine on 21 of 22 desktop PDF viewer apps (running on Windows, MacOS and Linux) and five out of seven online PDF digital signing services. These include well-known apps, including Adobe Acrobat Reader, Foxit Reader and LibreOffice, as well as online services like DocuSign and Evotrust.

Summarizing their six month-long research in a paper and a blog, the researchers note they have been working with Germany's Computer Emergency Response Team (BSI-CERT) to responsibly disclose the results to affected service providers.

Signatures to PDF documents have come to be accepted in legally binding contracts since President Clinton signed the eSign Act. In 2014, the EU issued a regulation that gave such documents legal status in the EU as well.

Adobe has said that it processed 8 billion such signatures in 2017. The researchers found three major attack methods.

The first is Universal Signature Forgery (USF). This is a way for attackers to game the signature verification process so that it will display a fake panel/message that the signature is valid.

The second is Incremental Saving Attack (ISA). Here, attackers will add content to an already signed PDF document via the "incremental saving (incremental update)" mechanism, but without breaking what has already been saved for the signature of that document.

The last is Signature Wrapping (SWA). Similar to ISA, it will fool the signature validation process into "wrapping" around the attacker's additional content. This means the content added (the incremental update) has been digitally signed.

The researchers found that there were two root causes why this sort of spoofing could be carried out.

First, they said, "The specification does not provide any information with concrete procedure on how to validate signatures. There is no description of pitfalls and any security considerations. Thus, developers must implement the validation on their own without a best-common-practice information."

Secondly, they found "The error tolerance of the PDF viewer is abused to create non-valid documents bypassing the validation, yet correctly displayed to the user."

They came up with a verification algorithm. It's a concrete approach on how to compute the values necessary for the verification and how to detect manipulations after signing the PDF file. The specified algorithm must be applied for each signature within the PDF document. As an input, it requires the PDF file as a byte stream and the signature object.

The approach will only work on the last revision that has been done to a PDF document, and does not verify any signatures that may have been done previously to that final revision.

This problem can be serious, and enable some massive financial frauds. It is incumbent on the security team to verify that they have patched all applications affected, and that they are using services that have taken this problem seriously.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights