New Attacks Show Signed PDF Documents Cannot Be Trusted
Many popular PDF viewers and online validation services contain vulnerabilities that can be exploited to make unauthorized changes to signed PDF documents without invalidating their signature, researchers have warned.
A team of researchers from the Ruhr-University Bochum in Germany has analyzed 22 desktop applications (including their Windows, Linux and macOS versions) and 7 online validation services.
PDF signatures, which rely on cryptographic operations, are widely used by organizations around the world to ensure that their documents are protected against unauthorized modifications. Many governments sign their official documents, researchers often sign scientific papers, and major companies such as Amazon are known to sign documents such as invoices. If a signed document has been changed, its signature should become invalid.