A pair of techniques to surreptitiously alter the content of certified PDFs have been detailed by researchers in Germany.
The upshot is that someone could digitally add their signature to a PDF of, say, a contract, pass the file to a partner to digitally sign, and that second person could sneakily alter the contract’s text as well as sign it, creating confusion down the line. While the addition of the second signature would be permitted, the tampering of the text should be detected and flagged up by application software – unless the second person uses the aforementioned techniques.
The exploits, dubbed Evil Annotation and Sneaky Signature, are detailed in a paper [PDF] and website by Ruhr University Bochum’s Simon Rohlmann, Dr Vladislav Mladenov, Dr Christian Mainka, and Professor Jörg Schwenk. The team were due to present their work at the 42nd IEEE Symposium on Security and Privacy, taking place online this week.
See the original article here: The Register