PDF Encryption Is Busted: Adobe Acrobat, Foxit and Others Affected by Security Flaws

Credit: ShutterstockCredit: ShutterstockResearchers from Ruhr University Bochum and Müns­ter Uni­ver­si­ty revealed PDFex, two vulnerabilities of PDF files that undermine the encryption used to secure their contents. One vulnerability lets attackers manipulate parts of the file to enable direct exfiltration attacks, and the other can be used to “modify existing plaintext” and “construct entirely new encrypted objects.”

The first vulnerability works because “the PDF specification allows the mixing of ciphertexts with plaintexts,” the researchers explained, and potential attackers could then use “further PDF features which allow the loading of external resources via HTTP” to steal the file’s contents. They managed to exfiltrate data from an encrypted PDF via PDF forms, hyperlinks and JavaScript code added to the original document.

The second vulnerability results from PDF encryption’s use of “the Cipher Block Chaining (CBC) encryption mode with no integrity checks, which implies ciphertext malleability.” This lets attackers “create self-exfiltrating ciphertext parts using CBC malleability gadgets.” Attackers can use the same methods of exfiltration–PDF forms, hyperlinks and JavaScript–to access file contents after exploiting this vulnerability.

This isn’t an isolated problem. The researchers explained that many companies rely on PDF encryption. Some, like Canon and Samsung, use PDF encryption in their scanners. IBM offers “PDF encryption services for PDF documents and other data (e.g., confidential images) by wrapping them into PDF,” they said, and PDF encryption can also be used to keep medical records secure during transfer. 

The PDFex vulnerabilities are also hard to avoid because they’re problems with the PDF format itself. The researchers said their “evaluation shows that among 27 widely-used PDF viewers, all of them are vulnerable to at least one of those attacks, including popular software such as Adobe Acrobat, Foxit Reader, Evince, Okular, Chrome, and Firefox.” They shared more information about this evaluation on a dedicated website.