Skip to main content

Hackers Now Can Access Data In Secure PDF Files

By October 10, 2019May 9th, 2022Cybersecurity

A team of six researchers from Ruhr-University Bouchum and Munster University, in Germany have discovered a critical flaw in the way that popular PDF viewers display data.

This makes it possible for an attacker to exfiltrate data from encrypted PDF files.

The researchers tested twenty-seven different desktop and web-based PDF viewer apps ranging from the ubiquitous Adobe Reader, to Foxit, and even the viewers built into both Chrome and Firefox. They found that every single one of them were vulnerable to the new attacks they engineered. The researchers developed two major lines of attacks with a few variants based on each type.

They had this to say about their findings:

“Our attacks allow the recovery of the entire plaintext of encrypted documents by using exfiltration channels, which are based on standard-compliant PDF properties…our evaluation shows that among 27 widely used PDF viewers, all of them are vulnerable to at least one of these attacks. These alarming results naturally raise the question of the root causes for practical decryption exfiltration attacks.  We identified two of them.

First, many data formats allow to encrypt only parts of the content.  This encryption flexibility is difficult to handle and allows an attacker to include their own content, which can lead to exfiltration channels.

Second, when it comes to encryption, AES-CBC–or encryption without integrity protection in general–is still widely supported.  Even the latest PDF 2.0 specification released in 2017 still relies on it.  This must be fixed in future PDF specifications.”

This is an alarming discovery although these attacks have not yet been seen in the wild. Now that the word is out, it’s just a matter of time.  Worse, there’s no fix on the horizon, which means that the PDFs you may be relying on to help keep your data secure, simply aren’t.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.