Acknowledgements

We would like to thanks the CERT-Bund team for their great support during the responsible disclosure process. We also want to acknowledge the vendor teams which reacted to our report and fixed the vulnerable implementations.

Florian Zumbiehl

We would like to acknowledge Florian Zumbiehl who found an interesting attack related to pdf signatures in PDF viewer back in 2010.

DocuSign researcher

We want to acknowledge the research of John Heasman and his team @ DocuSign for finding one variant of the Signature Wrapping attack independently of our research. They tested and reported their attack against the following products:

ecsec GmbH and A-SIT

We also want to acknowledge the great contribution of Detlef H├╝hnlein (ecsec GmbH) and Herbert Leitold (A-SIT) for giving us a lot of information regarding the usage of PDF signatures in the wild and explaining us the legal aspects of digitally signed documents.