Threat Watch

New Attack Can Steal Data from Encrypted PDF Files

New research from a team of Academics at Ruhr-University Bochum and Münster University in Germany details an attack that has the potential to exfiltrate data from encrypted Portable Document Format (PDF) files. Named “PDFex,” this new attack comes in two variants. The first variant, data exfiltration, takes advantage of the fact that PDF apps do not encrypt an entire PDF file. With this, an attacker can modify the unencrypted field, add objects, or wrap encrypted parts into a context controlled by the attacker. This can be done via PDF forms, JavaScript code, or hyperlinks.  The second variant uses CBC gadgets to exfiltrate plaintext. Normally, PDF encryption defines no authenticated encryption, therefore, attackers can modify the plaintext data directly within an encrypted object, by prefixing it with a URL. The researchers tested PDFes attack techniques against 27 widely-used PDF viewers such as Adobe Acrobat, Foxit Reader, Evince, Nitro, Chrome and Firefox’s built-in PDF viewers and found all of them vulnerable to this attack.


With this being a new exploit, a patch has yet to be released. Organizations and individuals alike should begin researching additional methods on how to encrypt files for data transmission. This technique is not effective against PDF files encrypted using external software – it only works against the encryption built into the PDF standard itself. To best protect your sensitive documents when sending them to another person, a best practice is to place the sensitive document into an encrypted archive file such as 7zip, use a strong password, and send the password to your intended recipient using a different method of communication than you use to send the encrypted document. For example, email the document, but call or text the password to the recipient.