Click to Skip Ad
Closing in...

This scary security flaw could let hackers change contracts you already signed

Published Jun 1st, 2021 9:34PM EDT
Security flaw
Image: Minerva Studio/Adobe

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

One news publication I’ve written a fair amount of content for always required that writers prepare and submit invoices in PDF form, ostensibly because they’re less susceptible to manipulation compared to a garden variety text-based document. At least that’s what I think the reason for that mandate was, not that it matters to writers much. If that directive is how you get paid, then that’s what you do, even though — well, let’s just say that anyone who has held that assumption about the nature of PDFs needs to disabuse themselves of it pretty quickly.

Researchers with Germany’s Ruhr-University Bochum, presenting at this year’s IEEE Symposium on Security and Privacy, walked through security flaws inherent in PDFs that have already been patched by most applications that read these documents, but the implications here are scary, nonetheless.

Basically, the researchers found a way to alter both the signature process of PDFs as well as to annotate changes. As they explain on their blog, “we performed an extensive analysis of the security of PDF certification. In doing so, we developed the Evil Annotation Attack (EAA), as well as the Sneaky Signature Attack (SSA).

“The attack idea exploits the flexibility of PDF certification, which allows signing or adding annotations to certified documents under different permission levels. Our practical evaluation shows that an attacker could change the visible content in 15 of 26 viewer applications by using EAA and in 8 applications using SSA by using PDF specification compliant exploits. We improved both attacks’ stealthiness with applications’ implementation issues and found only two applications secure to all attacks.”

It certainly sounds like the intended use case of a security flaw like this is the equivalent of forging someone’s name on a contract or document that they wouldn’t otherwise sign — or, via the ability to annotate a PDF, perhaps to insert clauses or other features of an agreement that the person didn’t believe was part of the document that they originally signed. It’s a little bit of a head-scratcher though, since one way of protecting yourself from this kind of thing would seem to be … just keeping a copy of the signed, original document for yourself for literally this reason?

This all comes, by the way, just a few weeks after Adobe Acrobat issued a patch for a zero-day that targeted Windows users specifically. Not long after, as we noted here, researchers with Microsoft Security Intelligence revealed that PDFs were the vector whereby attackers were disseminating a Java-based remote access Trojan that could do everything from logging user keystrokes to stealing credentials, and much more.

Related coverage:

Andy Meek Trending News Editor

Andy Meek is a reporter based in Memphis who has covered media, entertainment, and culture for over 20 years. His work has appeared in outlets including The Guardian, Forbes, and The Financial Times, and he’s written for BGR since 2015. Andy's coverage includes technology and entertainment, and he has a particular interest in all things streaming.

Over the years, he’s interviewed legendary figures in entertainment and tech that range from Stan Lee to John McAfee, Peter Thiel, and Reed Hastings.