Many popular .PDF viewers and online validation services contain vulnerabilities that can be used to make unauthorized changes to signed а .PDF documents without invalidating their signature.
The signature of the .PDF documents rely on cryptographic protection, which prevents the entry of unauthorized changes into a document signed this way.
This type of signing .PDF documents are widely used by many governments around the world, but also by companies and large corporations such as Amazon, who sign their documents such as invoices by using those apps and services.
The team of researchers from Germany analyzed 22 desktop applications (including Windows, Linux and MacOS operating systems) and 7 online validation services for signing .PDF documents.
The list of vulnerable applications includes Adobe Reader, Foxit Reader, LibreOffice, Nitro Reader, PDF-Xchange and Soda PDF. The list of vulnerable online signature validation services includes DocuSign, eTR Validation Service, DSS Demonstration WebApp, Evotrust and VEP.si.
The researchers shared their results with the vendors of these applications and online services. Application vendors have already published patches for those vulnerabilities, while some of the online service providers are actively working to find the right solutions.
The National CERT of the Republic of Serbia recommends to all users to update their hardware and application solutions in a timely manner, as one of the most effective preventive measures.