Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //

Identity Management

3/1/2019
07:00 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Digital Signatures Can Be Forged in PDF Docs

Researchers in Germany have figured out three different ways to forge digital signatures in PDF documents.

Researchers at the Ruhr-University Bochum in Germany have figured out three different ways to forge digital signatures in PDF documents.

The fakes will be treated as genuine on 21 of 22 desktop PDF viewer apps (running on Windows, MacOS and Linux) and five out of seven online PDF digital signing services. These include well-known apps, including Adobe Acrobat Reader, Foxit Reader and LibreOffice, as well as online services like DocuSign and Evotrust.

Summarizing their six month-long research in a paper and a blog, the researchers note they have been working with Germany's Computer Emergency Response Team (BSI-CERT) to responsibly disclose the results to affected service providers.

Signatures to PDF documents have come to be accepted in legally binding contracts since President Clinton signed the eSign Act. In 2014, the EU issued a regulation that gave such documents legal status in the EU as well.

Adobe has said that it processed 8 billion such signatures in 2017. The researchers found three major attack methods.

The first is Universal Signature Forgery (USF). This is a way for attackers to game the signature verification process so that it will display a fake panel/message that the signature is valid.

The second is Incremental Saving Attack (ISA). Here, attackers will add content to an already signed PDF document via the "incremental saving (incremental update)" mechanism, but without breaking what has already been saved for the signature of that document.

The last is Signature Wrapping (SWA). Similar to ISA, it will fool the signature validation process into "wrapping" around the attacker's additional content. This means the content added (the incremental update) has been digitally signed.

The researchers found that there were two root causes why this sort of spoofing could be carried out.

First, they said, "The specification does not provide any information with concrete procedure on how to validate signatures. There is no description of pitfalls and any security considerations. Thus, developers must implement the validation on their own without a best-common-practice information."

Secondly, they found "The error tolerance of the PDF viewer is abused to create non-valid documents bypassing the validation, yet correctly displayed to the user."

They came up with a verification algorithm. It's a concrete approach on how to compute the values necessary for the verification and how to detect manipulations after signing the PDF file. The specified algorithm must be applied for each signature within the PDF document. As an input, it requires the PDF file as a byte stream and the signature object.

The approach will only work on the last revision that has been done to a PDF document, and does not verify any signatures that may have been done previously to that final revision.

This problem can be serious, and enable some massive financial frauds. It is incumbent on the security team to verify that they have patched all applications affected, and that they are using services that have taken this problem seriously.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.