A Flaw Of PDF Allows Hackers To Access Password-Protected Files

Saanvi Araav - Oct 12, 2019

A group of researchers has found out a technique allowing hackers to access content from an encrypted or password-protected PDF document

Software Engineer Hacking Former Company, Hoping To Be Rehired
Pakistan-Linked Hacker Group Exploits CO.VID-19 Fear To Attack Indians, Posing As The Indian Government
A Hacker Was Awarded $75,000 As Bug Bounty After Reporting Safari Bugs To Apple

A group of researchers has found out a technique that allows hackers to access content from an encrypted or password-protected PDF document under some conditions. From the published paper - German researchers from Münster University and Ruhr-University Bochum have disclosed two types of cyber attacks that exploit the vulnerability in 23 popular PDF viewers. The vulnerable list includes the PDF viewers built-in Firefox and Chrome, Evince, Adobe, and others.

PDFex

PDFex attack uses the security weaknesses within the built-in encryption protection of the PDF file. This attack does not try to crack the encrypted PDF file's password, but rather, it takes advantage of the partial encryption of the PDF specs to exfiltrate the content remotely when the user opens the file.

Vulnerable-Pdf-hacker — They have disclosed two types of cyber attacks that exploit the vulnerability in 23 popular PDF viewers.

According to the researchers, even without the password, the hacker could still manipulate some parts of the encrypted PDF document. So the hacker would modify the encrypted PDF document. After that, when the document gets the correct password, it will send a copy of the protected content to a server (of the hacker) via JavaScript code, URL, or PDF form.

More troublesome is that the hacker does not need any user interaction to exfiltrate the document. They just needed to tampering the unencrypted data via the PDF form.

The 2nd Type

The 2nd type of attack is quite similar to the first one. However, it only uses the PDF file's encrypted bits. It takes advantage of the encrypting plaintext blocks' CBC mode to change part of ciphertext into another part of the ciphertext.

The CBC mode uses the chaining mechanism to protect data that means the encryption of each block depends on the previous block. So you need to know the “plaintext segment” to manipulate the encrypted object directly.

hacker-Cbc-Mode — You need to know the “plaintext segment” to manipulate the encrypted object directly.

The researchers have disclosed these findings to all impacted vendors and release to the general public a POC of the PDFex attacks. They suggest that to mitigate this type of attack, we should drop support for the partially encrypted PDF format.