A Flaw Of PDF Allows Hackers To Access Password-Protected Files

Saanvi Araav - Oct 12, 2019


A Flaw Of PDF Allows Hackers To Access Password-Protected Files

A group of researchers has found out a technique allowing hackers to access content from an encrypted or password-protected PDF document

A group of researchers has found out a technique that allows hackers to access content from an encrypted or password-protected PDF document under some conditions. From the published paper - German researchers from Münster University and Ruhr-University Bochum have disclosed two types of cyber attacks that exploit the vulnerability in 23 popular PDF viewers. The vulnerable list includes the PDF viewers built-in Firefox and Chrome, Evince, Adobe, and others.

PDFex

PDFex attack uses the security weaknesses within the built-in encryption protection of the PDF file.  This attack does not try to crack the encrypted PDF file's password, but rather, it takes advantage of the partial encryption of the PDF specs to exfiltrate the content remotely when the user opens the file. 

Vulnerable-Pdf-hacker
They have disclosed two types of cyber attacks that exploit the vulnerability in 23 popular PDF viewers.

According to the researchers, even without the password, the hacker could still manipulate some parts of the encrypted PDF document.  So the hacker would modify the encrypted PDF document. After that, when the document gets the correct password, it will send a copy of the protected content to a server (of the hacker) via JavaScript code, URL, or PDF form.

More troublesome is that the hacker does not need any user interaction to exfiltrate the document. They just needed to tampering the unencrypted data via the PDF form.

The 2nd Type

The 2nd type of attack is quite similar to the first one. However, it only uses the PDF file's encrypted bits. It takes advantage of the encrypting plaintext blocks' CBC mode to change part of ciphertext into another part of the ciphertext.

The CBC mode uses the chaining mechanism to protect data that means the encryption of each block depends on the previous block. So you need to know the  “plaintext segment” to manipulate the encrypted object directly.

hacker-Cbc-Mode
You need to know the  “plaintext segment” to manipulate the encrypted object directly.

The researchers have disclosed these findings to all impacted vendors and release to the general public a POC of the PDFex attacks. They suggest that to mitigate this type of attack, we should drop support for the partially encrypted PDF format. 

Tags

Comments

Sort by Newest | Popular

Next Story

Read more

Jio Reportedly Partners With Vivo To Launch Jio-Exclusive Low-Cost Smartphones

Mobile- Dec 01, 2020

Jio Reportedly Partners With Vivo To Launch Jio-Exclusive Low-Cost Smartphones

The 'Jio-exclusive' smartphone for the Indian market that Jio and Vivo are reportedly working on might be priced below Rs. 8,000.

Andhra Pradesh To Ban Online Gaming, Following Tamil Nadu And Telangana

Features- Dec 02, 2020

Andhra Pradesh To Ban Online Gaming, Following Tamil Nadu And Telangana

On Tuesday, the Andhra Pradesh Legislative Assembly passed the AP Gaming (Amendment) Bill 2020 by voice vote to ban online gaming

Motorola Moto G 5G Arrives In India As One Of The Most Affordable 5G Phones

Mobile- Dec 01, 2020

Motorola Moto G 5G Arrives In India As One Of The Most Affordable 5G Phones

Motorola Moto G 5G is one of the most affordable 5G smartphones in India, featuring a Snapdragon 750G chipset, a 6.7" FHD+ display, and a beefy 5,000mAh battery.

World's First Social Network For S.e.x Launched, Already A Huge Success

Features- Dec 03, 2020

World's First Social Network For S.e.x Launched, Already A Huge Success

Emma Sayle said her Killing Kittens social network would be the safe place online for women and men anywhere to explore their s.e.xuality

Apple Fined Rs 88.6 Crore For Misleading iPhone Advertising

ICT News- Dec 02, 2020

Apple Fined Rs 88.6 Crore For Misleading iPhone Advertising

Italy has fined Apple Rs 88.6 crore (€10 million) for misleading claims about the water-resistance of the iPhone, according to BBC.

How To Stream Video From Phone To Computer

How To- Dec 01, 2020

How To Stream Video From Phone To Computer

There will be times when you really need to stream video from phone to computer or to a bigger screen. Here are some options to do so