How to fake PDF signatures

If you open a PDF document and your viewer displays a panel (like you see below) indicating that

  1. the document is signed by invoicing@amazon.de and
  2. the document has not been modified since the signature was applied You assume that the displayed content is precisely what invoicing@amazon.de has created.

During recent research, we found out that this is not the case for almost all PDF Desktop Viewers and most Online Validation Services.

So what is the problem?

With our attacks, we can use an existing signed document (e.g., amazon.de invoice) and change the content of the document arbitrarily without invalidating the signatures. Thus, we can forge a document signed by invoicing@amazon.de to refund us one trillion dollars.

To detect the attack, you would need to be able to read and understand the PDF format in depth. Most people are probably not capable of such thing (PDF file example).

To recap this, you can use any signed PDF document and create a document which contains arbitrary content in the name of the signing user, company, ministry or state.

Source: PDF Signature Spoofing