back to article Contract killer: Certified PDFs can be secretly tampered with during the signing process, boffins find

A pair of techniques to surreptitiously alter the content of certified PDFs have been detailed by researchers in Germany. The upshot is that someone could digitally add their signature to a PDF of, say, a contract, pass the file to a partner to digitally sign, and that second person could sneakily alter the contract's text as …

  1. Jonathon Green

    Those aren’t bugs they’re features.

    Admittedly not features any sane person would want, need, or consider adding to a secure document exchange format, but then PDF was never meant to be that, and nobody who’d spent more than half-a-day or so examining the spec[1] would ever think it was appropriate to use it for that purpose…

    [1] And for my sins I’ve spent a lot more time than that with it…

    1. William Towle
      Facepalm

      "secure document exchange format"

      > PDF was never meant to be that, and nobody who’d spent more than half-a-day or so examining the spec[1] would ever think it was appropriate to use it for that purpose…

      Unfortunately, people wanting not to send paper documents -perhaps encouraged by the pandemic- want to use it for that.

      I recently had "just use X on your phone to sign [this PDF]" where X wasn't part of the stock android image and I didn't have space to install it, and while I could otherwise sign with libreoffice (after creating certificates and persuading it they existed) I found post-conversion artifacts before I could start ... with the argument "this *needs* to be done on paper" carrying little weight until I decided to stop sending attachments that were meant to be proof (and not finished submissions) :/

      1. bombastic bob Silver badge
        Devil

        Re: "secure document exchange format"

        I tend to agree.

        When I view a PDF on Linux or BSD it's with Atril, the default PDF viewer for Mate [I always disable in-browser reading whenever possible].

        There's also a version of Evince that runs on windows. I installed it years ago when the (bundled) Adobe in Win 7 kept asking me for an e-mail address [so it went into the bit bucket]. I mean, WHY does a PDF READER need MY E-MAIL ADDRESS??

        Now I checked the list o' tested PDF readers and saw NEITHER Evince nor Atril listed. Maybe they don't do the "enhanced certified" thing? I'd just as soon leave it that way, yeah.

        What I do when I need to sign a PDF: print relevant pages, sign, scan, FAX or attach to e-mail (as PDF, yeah). Or just print multiple copies, sign & date one for myself and one for the other party, and use snail-mail or sneaker-net. There's NO school like the OLD school!

        1. Woodnag

          Security

          It shows that it is necessary to be the first signatory, and keep a copy of that doc. If the further versions with more sigs has content changes, at the very least you can show that thare's a problem with the sig system and show that it's not secure to get past the 'no no no you must be mistaken' BS.

        2. Anonymous Coward
          Boffin

          Re: "secure document exchange format"

          I like old school. But this seems to be one of the arguments for an even newer school.

          Much as I hate to say anything good about blockchain, this is a problem that smart-contracts was designed to solve. Although the infrastructure and apps aren't yet ready for prime time.

    2. sgp

      The spec is nearly a thousand pages so half a day would just about be enough to make it past the introduction.

  2. KittenHuffer Silver badge
    Coat

    I went to look at the PDF .....

    ..... but it had been tampered with!

  3. Hubert Cumberdale Silver badge

    The attacks seem a little complicated... by the sound of it, more complicated than those needed to edit a Scottish vaccination certificate (not sure if those were PDFs, as they are [sensibly] rather coy about the details, but I'm not surprised by any of it).

    1. Danny 2

      It's slightly perturbing that SNHS hasn't offered me a vaccine while all my peers have had their second jab. Maybe my doctors are telling me to eff off and die, but more likely I've slipped down a crack in the IT system and it makes me wonder how many of the supposedly "vaccine reluctant" have simply been misplaced or forgotten.

  4. Version 1.0 Silver badge

    Portable Document Format update

    Please Don't Fiddle

  5. Tom 7

    Pointless Document Format.

    Trying to monetize things that are a lot easier done with open standards - and a shit load safer too!

    1. Jonathon Green

      Re: Pointless Document Format.

      PDF is an ISO standard and has been since 2008.

      Download[1] a copy here…

      https://www.iso.org/standard/51502.html

      …develop from it to your hearts content, and as long as you don’t infringe anybody’s IP on the actual implementation you’re free to sell it or give it away without it costing anybody a penny in license fees.

      There (in my view at least) are many things wrong with PDF, but being an Adobe proprietary standard hasn’t been one of them for some time…

      [1] Having paid your 198 Swiss Francs…

      1. Gene Cash Silver badge

        Re: Pointless Document Format.

        > [1] Having paid your 198 Swiss Francs…

        Then it's not an open standard then.

  6. Cuddles

    Perfection

    "The techniques described aren't perfect: the alterations can be later discovered when the PDF files are compared"

    This is an odd sentence to write. The techniques aren't perfect because they only work on the thing they're used on? No shit. It sounds like the techniques absolutely are perfect at doing what they actually do, they just don't magically do a bunch of unrelated impossible things at the same time.

    1. Missing Semicolon Silver badge

      Re: Perfection

      I think it means that what should happen if the secured PDF is modified so as to alter the text (as opposed to adding annotation or a signature) the reading PDF reader should detect that the PDF body no longer passes it's hash check.

      I presume the fixes are in either

      a) The PDF generator, so the the hashed portion is separate from the signatures and annotation so that tampering is evident, or

      b) in the reader so that it detects tampering correctly.

      One hopes that it's not

      c) Fix the PDF modifying app to not allow it to change the body text, honest gov I didn't touch it!

      1. ThatOne Silver badge
        Devil

        Re: Perfection

        It's d) Tell people they're not allowed to do that!

        Seriously, if the solution is a) (unlikely, too sensible), nothing prevents the smart ones to use an older, unfixed version. As for b), detecting tampering, it's very difficult to distinguish between permitted (annotations, additional information) and malicious tampering. On hastily pieced together documents (meaning most of them) it will still be possible to cheat, because a field overflows, or at least is placed in a way allowing you to make believable additions to the otherwise inert main text.

        IMHO the only safe way would be to make special, dedicated and certified programs for just that use. They might use PDFs, but they would have to be built in a way allowing you to make sure a document hasn't been unnecessarily tampered with. Separate cryptographic signatures for the different fields (main body, annotations party A, annotations party B, signature party A, signature party B) would be a good start, allowing you to know in a glance what has been changed and by whom. In-document versioning (allowing to know what was there initially) would be useful too.

  7. Nevermind
    Trollface

    Maybe this explains why a major UK corporate has taken to creating forms, memos well, wtf, everything in Excel ,xlsx format

  8. Blackjack Silver badge

    Honesty PDFs should be replaced by something else at this point.

    1. Stephen Wilkinson

      Preferably something that produces properly accessible documents

  9. Anonymous Coward
    Anonymous Coward

    Bugs...

    So, ehh, Acrobat was written in Adobe Flash?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon