A team of academics from the Ruhr-University Bochum in Germany say they've managed to break the digital signing system and create fake signatures on 21 of 22 desktop PDF viewer apps and five out of seven online PDF digital signing services.
This includes apps such as Adobe Acrobat Reader, Foxit Reader, and LibreOffice, and online services like DocuSign and Evotrust --just to name the most recognizable names.
The five-person research team has been working since early October 2018 together with experts from Germany's Computer Emergency Response Team (BSI-CERT) to notify impacted services.
The team went public with their findings over the weekend after all affected app makers and commercial companies finished patching their products.
The reason why researchers were willing to wait months so all products would receive fixes is because of the importance of PDF digital signatures.
Digitally signed PDF documents are admissible in court, can be used as legally-binding contracts, can be used to approve financial transactions, can be used for tax filing purposes, and can be used to relay government-approved press releases and announcements.
Having the ability to fake a digital signature on an official PDF document can help threat actors steal large amounts of money or cause chaos inside private companies and public institutions.
In research published today, the Ruhr-University Bochum team described three vulnerabilities that they found in the digital signing process used by several desktop and web-based PDF signing services. Summarized, they are:
- Universal Signature Forgery (USF) - vulnerability lets attackers trick the signature verification process into showing users a fake panel/message that the signature is valid.
- Incremental Saving Attack (ISA) - vulnerability lets attackers add extra content to an already signed PDF document via the