German Researchers Prove That Password-Protected PDF Files Can Be Breached

You create a PDF file. You put a password on it to ensure that no one can access the information inside it. You forget about the file and its security, thinking that you are 100% safe. Unfortunately, it was proven by German researchers from Ruhr University Bochum, FH Münster University of Applied Sciences, and Hackmanit GmbH that password-protected PDF files are not invincible. According to researchers,the PDF encryption standard can be exploited using PDF vulnerabilities, and using an attack model called PDFex, they have managed to prove that encrypted PDF files and password-protected PDF files can be breached. Without a doubt, this is incredibly unnerving, considering that, in some cases, highly sensitive information can be found within PDF files.

According to the researchers who have found a way to breach password-protected PDF files, it all comes down to ciphertext and plaintext. So, what exactly are we talking about here? According to, Ciphertext is the text that is encrypted, and plaintext is the text before encryption. Researchers have found a way to mix these two texts and also employ certain PDF features that allow loading external sources via HTTP, and that has offered an opportunity to perform exfiltration attacks. That means that if a hacker figures out how to exploit ciphertext, plaintext, and PDF features, they might be able to access the data stored within the files. Researchers have also found that encrypted PDF files are not impenetrable due to the CBC (Cipher Block Chaining) encryption mode that, according to them, does not go through reliable “integrity checks.” It is believed that the used encryption algorithm is malleable, which might offer an opportunity to “transform ciphertext into another ciphertext which decrypts to a related plaintext,” as described by this source.

The researchers who discovered the PDF vulnerability analyzed 27 unique PDF viewers, and 23 of them were proven to be vulnerable to exfiltration attacks. PDF viewers that were compatible with Windows and Linux were found to be vulnerable, and only Mac-compatible Preview and Skim viewers withstood direct exfiltration attacks. Mozilla Firefox and Safari browsers were proven to be reliable, while Google Chrome and Opera were not. Unfortunately, even if the owner of a PDF file were to use reliable viewers only, they could still be at risk. It was also found that signed documents can be forged, which could put the recipients of such documents at risk. Researchers tested PDFex attacks against signed documents, and it was found that the content of the document could be changed without changing the signature. 22 PDF viewer applications were tested, and only one withstood the attack. Out of 7 online validation services, 5 were proven to be vulnerable.CVE-2018-16042, CVE-2018-18688, and CVE-2018-18689 patches were released to ensure that cybercriminals could not exploit the detected PDF vulnerability, and now users of Desktop PDF viewers must install the latest versions and update outdated versions.

Could this PDF vulnerability help cybercriminals steal data?

If the creators of PDF viewers do not address the vulnerabilities, and if users themselves are not quick to install the necessary security updates, it is always possible that the discovered PDF vulnerability could lead to big troubles. After all, cybercriminals ALWAYS find a way to exploit even the most insignificant vulnerabilities, and this one is much greater than that. Unfortunately, password-protected PDF files can create an illusion of safety. Therefore, people might choose to include much more sensitive information. This is especially important if encrypted files are sent to others. Overall, the PDF encryption standard has been proven to be weak, and so the data within PDF files is not safe. Whether you share it – along with the password – with someone else or you keep it to yourself, you need to think twice before you decide to store any sensitive data within PDF files.

For example, some people use password-protected PDF files to store passwords, credit card numbers, social security number, contact information, and other kinds of sensitive data. It feels safe, and it might also seem convenient because if a PDF file is saved on a virtual cloud, it can be accessed from any device. Well, if cybercriminals manage to exploit PDF vulnerabilities, or if they are able to brute-force a weak password that is meant to keep the information inside inaccessible to strangers, you will not be safe. Luckily, there are other ways to secure your personal data. A free tool called Cyclonis Password Manager can be used to generate and manage passwords, and it also can be used to keep sensitive information away from those who are not supposed to access it. All information that you choose to protect using Cyclonis is encrypted. Wait a minute, didn’t we just talk about PDF vulnerabilities caused by poor encryption standards? Luckily, the encryption standards employed by Cyclonis are trustworthy.

Without a doubt, you need to be very careful and very selective when you digitize any personal data. By now, you must be familiar with the saying that everything posted online is there forever. Unfortunately, the information we try to conceal using password-protected files and even the information we type in as we login might become vulnerable too. Therefore, you need to be cautious every step of the way. You need to be careful about the PDF viewers you use, the information you add to PDF documents, how you share and protect these documents, as well as how quick you are to respond to news about hacks or to install the latest updates. Of course, even though a big part of your virtual security is in your hands, you might be out of control if service providers cannot patch security vulnerabilities.

In conclusion, if you want to be safe, you need to continue learning and educating yourself. It is also important that you choose how you protect information and your own identity in the digital world. Also, remember that passwords are like locks, and if they are flimsy and old, they will not hold against the power of cybercriminals. ALWAYS set up the strongest and most unique passwords you can, and also be cautious about the services and applications you use because, in some cases, they are the weakest links.

December 10, 2019

Leave a Reply