Over the past year, we’ve embraced the electronic signature for digitally signing PDFs. Insurances, banks, and even the government gave legal validity to electronically signed PDFs. Today, everyone thinks that an electronically signed PDF is tamper proof.

Unfortunately, it is not!

A few months ago some security researchers run an experiment on that. The researchers, from the German Ruhr University Bochum and Hackmanit GmbH, and documented the experiment in details.

The electronically signed PDF used for the experiment

For their study, they changed the content of a signed PDF and verified whether the electronic signature was still valid.

To make a very impressive showcase, they changed the amount of an Amazon to 1 trillion US Dollars. After the change, the document signature, signed by amazon.de (Amazon’s German subsidiary), remained valid.

Several PDF applications, such as Adobe Reader and Foxit Reader on Linux, Mac, and Windows, still considered the signature valid. The list of all affected PDF applications and online services is available online. Before releasing the finding, they took care of informing the vendors. As result, bug-free versions have been available for quite some time.

Who uses and accepts PDF electronic signatures?

For about 5 years, some EU member states have required organizations offering digital services to support electronic signatures (eIDAS).

In Austria, every governmental authority digitally signs any document based on. Also, any new law is legally valid after it’s announced with a digitally signed PDF.

Outside the EU, countries such as Brazil, Canada, the Russian Federation, and Japan have adopted electronic signature.

The US government also protects PDF files with PDF signatures. There, individuals can report tax withholding by electronically signing and submitting a PDF.

Forbes ranked the electronic signature and digital transactions company DocuSign as No. 4 in its 2017’s “The Cloud 100“.

Many companies sign every document they deliver (e.g., Amazon, Decathlon, Sixt). Standardization documents, such as ISO and DIN, are also protected by PDF signatures. Even in the academic world, scientific papers (e.g., ESORICS proceedings) are signed electronically.

According to Adobe, the company processed 8 billion electronic and digital signatures in 2017 alone.

How bad is it?

The researchers evaluated the attack against two types of application: broadly adopted desktop applications and online validation services. Businesses use the latter to verify the digital signature of a PDF document.

During the research, they identified 21 out of 22!! desktop applications and 5 out of 7 online services vulnerable. You can find the detailed results of our evaluation on the following web pages:

How can I protect myself from tampered PDFs with valid?

The researcher started a responsible disclosure procedure on 9th October 2018. Together with the BSI-CERT, they contacted all vendors and helped them to fix the issues.

You can take a look at which PDF Reader you are using and compare the versions.

If you use one of the analyzed Desktop Viewer Applications you already should have got an update for your Reader.

What’s ahead of us?

Currently, there are no known exploits using these attacks. But as we all know, hackers are always busy finding new security flaws.

Thanks to vChain and its product CodeNotary, hackers will have a very hard time going forward. CodeNotary, in fact, adds to normal digital signature a blockchain-strong integrity check!

CodeNotary stores the document’s unique hash on an immutable blockchain. Nobody would be able to change the content of the document and a situation like that would not be possible at all.

Start sending and verifying your documents using CodeNotary.