Dealing with Signature Shadow PDF "vulnerability"

Albert Astals Cid aacid at kde.org
Sun Aug 2 22:46:29 BST 2020


Discussing in the open because i don't think it's really a vulnerability and because the report is public anyway.

So there's a series of attacks on PDF viewers that rely on modifying a PDF after it was signed.

For example, you sign a pdf that says "sign to get your annual bonus" and then the PDF is modified to say "you're fired" and still have your signature on it.

https://pdf-insecurity.org/download/exploits-shadow/hide.zip

When opening the "forged" PDF file on Okular we currently display the "The document is digitally signed" banner (which is true, but not "the whole truth").

It's not only until you open the properties of the signature that it says "there have been changes to the document since signed" and also provides a "Click here to see the version that was signed".

I'd say that is good, but arguably a bit hidden.

My suggestion would be to bring the "there have been changes to the document since signed" working to the "The document is digitally signed" banner.

What do you think?

Cheers,
  Albert





More information about the Okular-devel mailing list