We want to thank the following students for the great contributions to this project: Karsten Meyer zu Selhausen, Nico Beckenkamp, Simon Rohlmann, Christian Pressler, and David Dankelmann.
Without your support our research would not be possible. We learned a lot from all of you and enjoyed the joined work.
We want also to thank David Herring for proof-reading our papers and improving our writing skills. It was a pleasure to work with you.
Best regards
Jörg Schwenk, Jens Müller, Simon Rohlmann, Christian Mainka, Vladislav Mladenov, and Martin Grothe
| Name | Topic | Thesis |
|---|---|---|
| Karsten Meyer zu Selhausen | Security of PDF Signatures | thesis (EN) |
| Simon Rohlmann | Sicherheitsanalyse und Evaluierung von signierten PDF Dokumenten | thesis (DE) |
| Christian Pressler | Evaluierung der Sicherheit von JavaScript in PDFs an dem Beispiel von Adobe Acrobat Reader DC | thesis (DE) |
| Nico Beckenkamp | Fiddling with PKCS#7 Signatures on the Example of PDF | coming soon … |
| David Dankelmann | Systematic Security Analysis of Signed PDF Documents | coming soon … |
Responsible Disclosure
We would like to thank the CERT-Bund team for their great support during the responsible disclosure process. We also want to acknowledge the vendor teams which reacted to our report and fixed the vulnerable implementations.
Furthermore, we would like to thank the Adobe security team for the professional, positive, and constructive communication during the entire responsible disclosure period.
Misc
Florian Zumbiehl
We would like to acknowledge Florian Zumbiehl who found an interesting attack related to pdf signatures in PDF viewer back in 2010.
DocuSign researcher
We want to acknowledge the research of John Heasman and his team @ DocuSign for finding one variant of the Signature Wrapping attack independently of our research. They tested and reported their attack against the following products:
- Foxit Reader
- iText / iTextSharp
- Aspose.PDF (fix released by the vendor)
- Spire.PDF
ecsec GmbH and A-SIT
We also want to acknowledge the great contribution of Detlef Hühnlein (ecsec GmbH) and Herbert Leitold (A-SIT) for giving us a lot of information regarding the usage of PDF signatures in the wild and explaining us the legal aspects of digitally signed documents.
Other
We also thank Good Free Photos for making photos available we used to design the PDFex logo.
We would like to thank all security researchers working on PDF security for the great contributions.
We also would like to thank the software vendors who responsibly reacted to our findings and fixed the security issues.