Password-protected PDFs are not enough to secure sensitive documents. No solutions available

Any deployment, no matter its protections, may be exposed to further hacking attacks. Ethical hacking experts have found a way to extract information contained in Portable Document Format (PDF) files encrypted or password-protected.

The group of researchers at Ruhr-Bochum University in Germany published a research entitled “Breaking PDF Encryption”, which reveals two variants of a new attack exposing allegedly protected information in more than 20 PDF readers widely used, such as Adobe Acrobat Reader and the tools included in Chrome and Firefox browsers.

This new attack, dubbed PDFex, exploits some security oversights in the encryption standard integrated into this format. According to ethical hacking specialists, this method is not to break the password of a document, but rather leverages a feature known as “partial encryption” native to the PDF specification to extract the content after users interact with the document.

Attackers don’t even need to get a document password, experts mention. “The PDF format allows you to mix encrypted text with plain text, allowing you to upload external resources via HTTP to a file so that the attacker can extract the information when the targeted user opens the file”, the experts add.

In simpler words, a hacker can alter a password protected or encrypted PDF so that, when opened, an unencrypted copy of the file is sent to a remote server under attackers’ control using malicious JavaScript codes or URL and PDF forms.

Regarding the second variant of the PDFex attack, attackers use Cipher Block Chaining (CBC) mode to take a piece of encrypted text in a new encrypted text, a feature known as malleability.

CBC mode uses a special mechanism to encrypt data, so encryption in each block of text depends on the previous block. “Only knowing a plain text segment is required to manipulate an encrypted file,” the ethical hacking experts said.

Most PDF readers analyzed by researchers are exposed to the two variants of the attack, including Adobe Reader, Foxit Reader, PDF Studio Viewer and Nitro Reader. In the most severe cases, PDF readers are vulnerable to both attack variants without the need for user interaction.

Researchers reported their findings in a timely manner to the affected companies; in addition, they publicly disclosed an exploit proof-of-concept for the PDFex attack.

The main cause of these attacks is that multiple formats (such as XML, S, and PDF) allow users to encrypt only a few parts of their content. Because of this “adaptability”, threat actors can inject their own content, which can create the conditions conducive to an attack like the one depicted in this investigation.

Specialists in ethical hacking from the International Institute of Cyber Security (IICS) mention that the use of PDF for malicious purposes shows considerable growth. One of the main attack techniques is sending malicious PDF files attached in emails. In preventing this attack variant, specialists recommend stopping using partially encrypted PDF support, as well as conform to a security policy in which unencrypted objects cannot access encrypted content.