Researcher Exploits Browser Rendering Process to Alter PDF Invoice Pricing
A cybersecurity researcher, Zakhar Fedotkin, demonstrated how differences in PDF rendering all over diverse browsers and dealing programs can even be exploited to manipulate the displayed pricing on PDF invoices.
This vulnerability would possibly per chance enormously impression businesses counting on digital invoices for transactions.
The researcher, inspired by Konstantin Weddige’s weblog post “Kobold Letters,” created a proof of thought exhibiting how a PDF invoice would possibly per chance converse a host of prices looking out on the viewer used.
In the demonstration, a PDF invoice displayed a total heed of £399 when considered in Safari and MacOS Preview. On the opposite hand, the same file showed a total heed of £999 when opened in Google Chrome or Google Power on a Home windows OS.
Fickle PDFs
PDF rendering discrepancies arise because every main browser uses a a host of engine to render PDF files:
- Google Chrome: Makes employ of PDFium.
- Safari: Employs its have PDF rendering engine.
- Firefox: Utilizes PDF.js.
These engines take care of interactive draw fields and widget annotations in a different design, main to inconsistencies in how the same PDF file is displayed all over a host of platforms.
The researcher used the org.apache.pdfbox Java library to create a hybrid PDF that abuses widget annotations to create rendering discrepancies. The technique comprises:
- Constructing an Interactive Invent: The draw comprises no longer decrease than one input text discipline with a default cost (e.g., £399).
- Collectively with Widget Annotations: These annotations are used to render a a host of cost (e.g., £999) in viewers that prioritize annotations over draw fields.
Here’s a simplified model of the code used:
PDDocument document = new PDDocument(); PDAcroForm acroForm = new PDAcroForm(document); PDTextField field = new PDTextField(acroForm); field.setValue("£399"); // Create and set custom appearance stream PDFormXObject appearanceStream = new PDFormXObject(document); PDPageContentStream appearanceContents = new PDPageContentStream(document, appearanceStream); appearanceContents.beginText(); appearanceContents.showText("£999"); appearanceContents.endText(); appearanceContents.close(); PDAnnotationWidget widget = field.getWidgets().get(0); widget.setAppearance(appearanceStream); document.save("Invoice.pdf"); document.close();
This discrepancy can lead to severe financial discrepancies if no longer addressed. As an illustration, a CEO would possibly per chance approve an invoice in accordance to the £399 displayed in Safari, most efficient for the accounting division to job a cost of £999 after viewing the same invoice in Google Chrome.
The complexity and ambiguity of PDF rendering processes all over a host of platforms require caution when handling digital invoices.
Businesses would possibly per chance peaceful manufacture certain that one and all occasions fascinated with the approval and cost processes employ the same PDF viewer to abet some distance off from such discrepancies. Additionally, builders and cybersecurity mavens would possibly per chance peaceful be responsive to those vulnerabilities to safeguard in opposition to doable exploitation.
Fickle PDFs examples can even be chanced on on the researcher’s GitHub repository for these attracted to the technical tiny print and code utilized on this study.
Source credit : cybersecuritynews.com