PDF files could easily be hacked, even with additional encryption, according to a team scientist.
The new attack with the name PDFex is available in two variants. While testing, he was able to successfully steal data from PDF files in 27 desktop and Web PDF readers, including Adobe Acrobat, Foxit Reader, Nitro, and Chrome and Firefox's built-in PDF viewers.
PDFex does not target the encryption used by external software for PDF documents. Instead, the attack targets the encryption schemes used by Portable Document Format (PDF). This means that all PDFs are vulnerable, regardless of the software with which they are displayed.
While the PDF standard supports native encryption, a team of six scientists from the Ruhr University Bocum and the University of Münster in Germany identified problems with the encryption support of the standard and used them to create PDFex.
According to a blog post published by the researchers, encrypted PDF documents are subject to two forms of attack known by the method of attacking and filtering data.
The first method known as "direct exfiltration" exploits the fact that PDF software does not fully encrypt a PDF file and leaves some parts unencrypted. By intervening in these unencrypted fields, an attacker can create a bugs-wrapped PDF file that attempts to return the contents of the file to an attacker when they are decrypted and opened.
The second PDFex attack variant focuses on the parts of a PDF file that are encrypted. By using CBC gadgets, an attacker can change the plain text data stored in a PDF at its source. This means that an attacker can use a CBC gadget to modify the encrypted content to create e-mail-wrapped PDF files that send their own content to remote servers using PDF forms or URLs.
All of the different variants of PDFex require that an attack be able to change the user's encrypted PDF files. However, they would have to intercept the network traffic of a victim or have physical access to their devices or storage.
Overall, PDFex is a major vulnerability in the PDF standard, and the research team behind the new attack will present its findings at the ACM Computer and Communications Security Conference next month.
The price written on this page is true as the time it is written. It may change at any moment.