Researchers at the Horst Görtz Institute at the Ruhr University Bochum have succeeded in modifying the contents of signed PDF documents without invalidating the signature of the file. Almost all tested PDF applications did not notice the manipulation. Signed PDF files are used by many companies for invoices; some countries such as Austria or the USA also use them to protect government documents.
"Digital signatures in PDF documents ensure, like the small green lock in a web browser, that the document really comes from the specified sender," explains Jörg Schwenk. "Many Germans pay their bills daily by bank transfer on the basis of such signed documents".
Since the vulnerability affected almost all popular PDF applications and online services, the researchers reported it to the Federal Office for Information Security's Computer Emergency Response Team in October 2018. With their support, the Bochum researchers Dr. Vladislav Mladenov, Dr. Christian Mainka, Martin Grothe and Prof. Dr. Jörg Schwenk helped the developers of the PDF applications together with Karsten Meyer zu Selhausen from Hackmanit to close the security gaps.
The researchers from the Horst Görtz Institute for IT Security in Bochum published their results online on February 25, 2019.
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.