German Researchers Prove That Password-Protected PDF Files Can Be Breached

You create a PDF file. You put a password on it to ensure that no one can access the information inside it. You forget about the file and its security, thinking that you are 100% safe. Unfortunately, it was proven by German researchers from Ruhr University Bochum, FH Münster University of Applied Sciences, and Hackmanit GmbH that password-protected PDF files are not invincible. According to researchers,the PDF encryption standard can be exploited using PDF vulnerabilities, and using an attack model called PDFex, they have managed to prove that encrypted PDF files and password-protected PDF files can be breached. Without a doubt, this is incredibly unnerving, considering that, in some cases, highly sensitive information can be found within PDF files.

According to the researchers who have found a way to breach password-protected PDF files, it all comes down to ciphertext and plaintext. So, what exactly are we talking about here? According to whatis.com, Ciphertext is the text that is encrypted, and plaintext is the text before encryption. Researchers have found a way to mix these two texts and also employ certain PDF features that allow loading external sources via HTTP, and that has offered an opportunity to perform exfiltration attacks. That means that if a hacker figures out how to exploit ciphertext, plaintext, and PDF features, they might be able to access the data stored within the files. Researchers have also found that encrypted PDF files are not impenetrable due to the CBC (Cipher Block Chaining) encryption mode that, according to them, does not go through reliable “integrity checks.” It is believed that the used encryption algorithm is malleable, which might offer an opportunity to “transform ciphertext into another ciphertext which decrypts to a related plaintext,” as described by this source.

The researchers who discovered the PDF vulnerability analyzed 27 unique PDF viewers, and 23 of them were proven to be vulnerable to exfiltration attacks. PDF viewers that were compatible with Windows and Linux were found to be vulnerable, and only Mac-compatible Preview and Skim viewers withstood direct exfiltration attacks. Mozilla Firefox and Safari browsers were proven to be reliable, while Google Chrome and Opera were not. Unfortunately, even if the owner of a PDF file were to use reliable viewers only, they could still be at risk. It was also found that signed documents can be forged, which could put the recipients of such documents at risk. Researchers tested PDFex attacks against signed documents, and it was found that the content of the document could be changed without changing the signature. 22 PDF viewer applications were tested, and only one withstood the attack. Out of 7 online validation services, 5 were proven to be vulnerable.CVE-2018-16042, CVE-2018-18688, and CVE-2018-18689 patches were released to ensure that cybercriminals could not exploit the detected PDF vulnerability, and now users of Desktop PDF viewers must install the latest versions and update outdated versions.

Could this PDF vulnerability help cybercriminals steal data?

If the creators of PDF viewers do not address the vulnerabilities, and if users themselves are not quick to install the necessary security updates, it is always possible that the discovered PDF vulnerability could lead to big troubles. After all, cybercriminals ALWAYS find a way to exploit even the most insignificant vulnerabilities, and this one is much greater than that. Unfortunately, password-protected PDF files can create an illusion of safety. Therefore, people might choose to include much more sensitive information. This is especially important if encrypted files are sent to others. Overall, the PDF encryption standard has been proven to be weak, and so the data within PDF files is not safe. Whether you share it – along with the password – with someone else or you keep it to yourself, you need to think twice before you decide to store any sensitive data within PDF files.

For example, some people use password-protected PDF files to store passwords, credit card numbers, social security number, contact information, and other kinds of sensitive data. It feels safe, and it might also seem convenient because if a PDF file is saved on a virtual cloud, it can be accessed from any device. Well, if cybercriminals manage to exploit PDF vulnerabilities, or if they are able to brute-force a weak password that is meant to keep the information inside inaccessible to strangers, you will not be safe. Luckily, there are other ways to secure your personal data. A free tool called Cyclonis Password Manager can be used to generate and manage passwords, and it also can be used to keep sensitive information away from those who are not supposed to access it. All information that you choose to protect using Cyclonis is encrypted. Wait a minute, didn’t we just talk about PDF vulnerabilities caused by poor encryption standards? Luckily, the encryption standards employed by Cyclonis are trustworthy.

Without a doubt, you need to be very careful and very selective when you digitize any personal data. By now, you must be familiar with the saying that everything posted online is there forever. Unfortunately, the information we try to conceal using password-protected files and even the information we type in as we login might become vulnerable too. Therefore, you need to be cautious every step of the way. You need to be careful about the PDF viewers you use, the information you add to PDF documents, how you share and protect these documents, as well as how quick you are to respond to news about hacks or to install the latest updates. Of course, even though a big part of your virtual security is in your hands, you might be out of control if service providers cannot patch security vulnerabilities.

In conclusion, if you want to be safe, you need to continue learning and educating yourself. It is also important that you choose how you protect information and your own identity in the digital world. Also, remember that passwords are like locks, and if they are flimsy and old, they will not hold against the power of cybercriminals. ALWAYS set up the strongest and most unique passwords you can, and also be cautious about the services and applications you use because, in some cases, they are the weakest links.

By Foley
December 10, 2019
News
English
December 10, 2019
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

How To

How to Open a Protected PDF File If You Forgot the Password

So, you locked your PDF with a password to keep it safe from prying eyes but you forgot the password? Don't worry. It's actually pretty common, and there are ways to get around that. These days PDF is one of the most... Read more

June 19, 2018
How To

How to Password Protect RAR and ZIP Files

Adding files to a .RAR or .ZIP archive is one of the easiest and more convenient way of sending them over the Internet – especially if you need to send more than one file, or that one file is particularly hefty.... Read more

November 5, 2018
How To

How to Create a Password-Protected Zip File on Windows

Some of you may not remember that is, but it was entirely possible to create a zip file in Windows XP, which was password-protected. These days almost nobody uses XP anymore, except old office computers and maybe your... Read more

August 17, 2018
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.