A Flaw Of PDF Allows Hackers To Access Password-Protected Files

Saanvi Araav - Oct 12, 2019


A Flaw Of PDF Allows Hackers To Access Password-Protected Files

A group of researchers has found out a technique allowing hackers to access content from an encrypted or password-protected PDF document

A group of researchers has found out a technique that allows hackers to access content from an encrypted or password-protected PDF document under some conditions. From the published paper - German researchers from Münster University and Ruhr-University Bochum have disclosed two types of cyber attacks that exploit the vulnerability in 23 popular PDF viewers. The vulnerable list includes the PDF viewers built-in Firefox and Chrome, Evince, Adobe, and others.

PDFex

PDFex attack uses the security weaknesses within the built-in encryption protection of the PDF file.  This attack does not try to crack the encrypted PDF file's password, but rather, it takes advantage of the partial encryption of the PDF specs to exfiltrate the content remotely when the user opens the file. 

Vulnerable-Pdf-hacker
They have disclosed two types of cyber attacks that exploit the vulnerability in 23 popular PDF viewers.

According to the researchers, even without the password, the hacker could still manipulate some parts of the encrypted PDF document.  So the hacker would modify the encrypted PDF document. After that, when the document gets the correct password, it will send a copy of the protected content to a server (of the hacker) via JavaScript code, URL, or PDF form.

More troublesome is that the hacker does not need any user interaction to exfiltrate the document. They just needed to tampering the unencrypted data via the PDF form.

The 2nd Type

The 2nd type of attack is quite similar to the first one. However, it only uses the PDF file's encrypted bits. It takes advantage of the encrypting plaintext blocks' CBC mode to change part of ciphertext into another part of the ciphertext.

The CBC mode uses the chaining mechanism to protect data that means the encryption of each block depends on the previous block. So you need to know the  “plaintext segment” to manipulate the encrypted object directly.

hacker-Cbc-Mode
You need to know the  “plaintext segment” to manipulate the encrypted object directly.

The researchers have disclosed these findings to all impacted vendors and release to the general public a POC of the PDFex attacks. They suggest that to mitigate this type of attack, we should drop support for the partially encrypted PDF format. 

Tags

Comments

Sort by Newest | Popular

Next Story

Read more

Best Wireless Earphones Under 2000 For Indian Users

Gadgets- May 29, 2020

Best Wireless Earphones Under 2000 For Indian Users

You want to buy a good pair of headphones but only have Rs 2,000? We have compiled a list of best wireless earphones under 2000 that are available in India.

Best Phones Under 10000 For Gaming In India: Top Choices & Reviews

Mobile- May 29, 2020

Best Phones Under 10000 For Gaming In India: Top Choices & Reviews

Best phones under 10000 for gaming in India: These are the top five phones available in India that offer the highest value for the money.

How To Split Screen In Note 9 - A Step-By-Step Guide For Indian Users

How To- May 28, 2020

How To Split Screen In Note 9 - A Step-By-Step Guide For Indian Users

From now on, you can take full advantage of your Samsung Galaxy Note 9 screen.

This Free App Lets You Stream VR P.o.r.n On PlayStation 4

Features- May 30, 2020

This Free App Lets You Stream VR P.o.r.n On PlayStation 4

Even though Sony has banned VR p.o.r.n on its PlayStation 4 consoles, a new way to do so has recently emerged

Boys Let Poisonous Spider Bit Them To Turn Into Spider-Man, Hospitalized

Features- May 28, 2020

Boys Let Poisonous Spider Bit Them To Turn Into Spider-Man, Hospitalized

The three boys showed symptoms including muscle pains, fevers, and tremors after they were bitten by a black widow spider

Superman Returns Full Movie In Hindi Download Filmyzilla: Free Movie For Indian Audience

Features- May 29, 2020

Superman Returns Full Movie In Hindi Download Filmyzilla: Free Movie For Indian Audience

If you are on the lookout for Superman Returns full movie in Hindi download filmyzilla, you have come to the right place