Contract killer: Certified PDFs can be secretly tampered with during the signing process, boffins find

A pair of techniques to surreptitiously alter the content of certified PDFs have been detailed by researchers in Germany.

The upshot is that someone could digitally add their signature to a PDF of, say, a contract, pass the file to a partner to digitally sign, and that second person could sneakily alter the contract's text as well as sign it, creating confusion down the line. While the addition of the second signature would be permitted, the tampering of the text should be detected and flagged up by application software – unless the second person uses the aforementioned techniques.

The exploits, dubbed Evil Annotation and Sneaky Signature, are detailed in a paper [PDF] and website by Ruhr University Bochum's Simon Rohlmann, Dr Vladislav Mladenov, Dr Christian Mainka, and Professor Jörg Schwenk. The team were due to present their work at the 42nd IEEE Symposium on Security and Privacy, taking place online this week.

Their discovery would be a boon to scammers, and while the developers of major PDF-generation applications, such as Adobe, Libreoffice, and Foxit, have now patched their code to thwart the techniques, the makers of minor PDF tools have been slower to respond.

Using certified PDFs is increasingly common in business. The creator of such a document can allow some content changes, such as adding a digital signature or side notes, without tripping any alarms. However, the team found that some of these annotation fields can be manipulated to introduce new material and change the meaning of the text.

With the Evil Annotation attack, the boffins found three annotations – FreeText, Redact, and Stamp – could be subverted to allow images or new text to be inserted into a document without the creator being aware. "All three can be used to stealthily modify a certified document and inject malicious content," their paper explained. "In addition, 11 out of 28 annotations are classified as medium since an attacker can hide content within the certified document."

• Compsci boffin publishes proof-of-concept code for 54-year-old zero-day in Universal Turing Machine
• University duo thought it would be cool to sneak bad code into Linux as an experiment. Of course, it absolutely backfired
• FBI deletes web shells from hundreds of compromised Microsoft Exchange servers before alerting admins
• Hallowed Bugtraq infosec list killed then resurrected over the weekend: We heard your feedback, says Accenture

For documents where the annotations that are allowed to be added are more limited, Sneaky Signature comes into play. The second person to sign the document can do so, and then use that process to add additional information. That is to say, rather than abuse annotations, the signing process is exploited.

"If a certified document is opened in a common PDF application, signatures can only be added to free signature fields provided by the certifier. Adding empty signature fields is normally no longer possible within the application," the paper states.

"However, the specification does not prohibit adding empty signature fields to a certified document. By using frameworks like Apache PDFBox2, empty signature fields can be placed anywhere in the document and filled with arbitrary content."

The researchers tested 26 popular PDF tools, and found 24 of them were vulnerable to either both of the flaws or just one. The only viewers to get a clean bill of health for this issue were PDF Editor 6 Pro and PDFelement Pro.

The techniques described aren't perfect: the alterations can be later discovered when the PDF files are compared, though by that point, whatever fraud was planned may have been successfully pulled off. In the case of someone inserting new payment details into an invoice or contract to siphon off funds, the money may be long gone by that point.

As a dark bonus, the team also found a security weakness that specifically hit Adobe products. This could be exploited to embed malicious code in documents with no warning to the recipient, thanks to Adobe's JavaScript policies.

"Only certified documents may execute high privileged JavaScript code in Adobe products," they said. "The attack is not limited to calling up a website but can execute any high privileged JavaScript code. The only requirement is that the victim fully trusts the certificate used to certify the PDFdocument."

Adobe fixed this issue in the start of November following responsible disclosure of the flaw. Many of the other tested applications have also been patched, although some vendors haven't responded – you can see the full list here. Make sure you're up to date with your applications, if you can. ®