Fickle PDFs: exploiting browser rendering discrepancies
Summary
Researchers have discovered a vulnerability in how browsers and PDF readers handle certain PDF rendering discrepancies. This allows attackers to craft malicious PDFs that display one price to a user but a different, higher price to a payment processing system, potentially leading to unauthorized charges.
IFF Assessment
This vulnerability allows attackers to deceive users and systems, leading to financial fraud and unauthorized transactions.
Severity
The estimated CVSS score reflects a high attack complexity due to the need for specific browser/reader rendering differences and a significant impact on confidentiality and integrity through financial manipulation.
Defender Context
This attack highlights the importance of validating all critical data, especially financial figures, on the server-side rather than relying solely on client-side rendering. Defenders should be aware of potential attacks that exploit subtle differences in how various applications interpret and display data.