Highlighted

Data leak security issue if compare files is used on adobe secured file

Community Beginner ,
Sep 23, 2020

Copy link to clipboard

Copied

The adobe version which I am using 

VeraUser1_0-1600848238877.png

Steps to replicate:

Create a pdf, secure it password protection:

1. Provide a password to open the file and (User password)

2. Restrict editing and select changes allowed to any except extracting pages

3. Enter change permissions password (author password)

4. Save the document and close it

5. Open the secured pdf, provide the user password below should be the security settings. 

 

The permissions on the document

VeraUser1_1-1600848288170.png

6. Select the compare tool, select this file. Select any other random pdf file (Note: No password prompts are shown here)

7. Select compare

8. the compare tool will generate a list of differences and opens the difference in a new tab.

9. Close the tab and go back to the orignal file tab.

10. Now the file is comletely unlocked.

Permissions post the usage of the compare files tool in the below image. 

VeraUser1_2-1600848627121.png

 

When compare file tool is used for this document, this doesn't prompt for the author password and directly compares the content of the file inspite of content copying and page extraction being not allowed. Also, once the compare tool is used then automatically the permissions of the file is being listed as everything is allowed. 

 

Automatically the user has has become the author of the file by using the compare tool. And the user can even remove the password if he wishes. All these without even knowing the author password. 

 

A serious security issue in Acrobat Pro DC

TOPICS
Acrobat SDK and JavaScript, Create PDFs, Edit and convert PDFs, Security digital signatures and esignatures, Standards and accessibility

Views

133

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Data leak security issue if compare files is used on adobe secured file

Community Beginner ,
Sep 23, 2020

Copy link to clipboard

Copied

The adobe version which I am using 

VeraUser1_0-1600848238877.png

Steps to replicate:

Create a pdf, secure it password protection:

1. Provide a password to open the file and (User password)

2. Restrict editing and select changes allowed to any except extracting pages

3. Enter change permissions password (author password)

4. Save the document and close it

5. Open the secured pdf, provide the user password below should be the security settings. 

 

The permissions on the document

VeraUser1_1-1600848288170.png

6. Select the compare tool, select this file. Select any other random pdf file (Note: No password prompts are shown here)

7. Select compare

8. the compare tool will generate a list of differences and opens the difference in a new tab.

9. Close the tab and go back to the orignal file tab.

10. Now the file is comletely unlocked.

Permissions post the usage of the compare files tool in the below image. 

VeraUser1_2-1600848627121.png

 

When compare file tool is used for this document, this doesn't prompt for the author password and directly compares the content of the file inspite of content copying and page extraction being not allowed. Also, once the compare tool is used then automatically the permissions of the file is being listed as everything is allowed. 

 

Automatically the user has has become the author of the file by using the compare tool. And the user can even remove the password if he wishes. All these without even knowing the author password. 

 

A serious security issue in Acrobat Pro DC

TOPICS
Acrobat SDK and JavaScript, Create PDFs, Edit and convert PDFs, Security digital signatures and esignatures, Standards and accessibility

Views

134

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Sep 23, 2020 0
Most Valuable Participant ,
Sep 23, 2020

Copy link to clipboard

Copied

While security is essentially worthless and - as Adobe warn - can be removed or ignored by many apps, Adobe state that their own apps respect it. Please post bug report to https://www.adobe.com/products/wishform.html

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 23, 2020 1
Adobe Employee ,
Sep 23, 2020

Copy link to clipboard

Copied

Thanks for reporting this issue. We are currently investigating this.

Ankit Gupta

Software Development Engineer, Acrobat

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 23, 2020 1
Community Beginner ,
Sep 26, 2020

Copy link to clipboard

Copied

Thank you Ankit. Please do keep us informed about the proceedings of this bug if possible. 

Regards

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Sep 26, 2020 0