12 Replies Latest reply on Aug 8, 2017 7:35 AM by gdsafd

    Google DocHub bypasses Adobe Security Settings

    gdsafd

      Google DocHub instantly (and for free) allows others to edit security protected documents and then send back as .pdf that to the untrained eye looks like it wasnt edited. HUGE SECURITY ISSUE. We had a customer go to sign an agreement using dochub and in doing so he altered our pricing very easily. These fields were originally fillable which we complete and then we sign in order to lock the form. He dropped it into DocHub and it instantly opened up all fillable fields that were locked using Adobe's password protected security feature. I verified this by creating my own dochub account with my google account (took under 2 min). Not happy about this!

        • 1. Re: Google DocHub bypasses Adobe Security Settings
          try67 MVP & Adobe Community Professional

          Nor should you be... but your anger should be directed elsewhere, at Google. They need to improve their code and adhere to the PDF ISO Standards. Adobe has nothing to do with it.

          • 2. Re: Google DocHub bypasses Adobe Security Settings
            gdsafd Level 1

            if a burglar breaks my window and my alarm fails to go off I dont respond by saying that the burglar should have broken in elsewhere to my house... I respond that saying my security system has a flaw

            • 3. Re: Google DocHub bypasses Adobe Security Settings
              try67 MVP & Adobe Community Professional

              That's not the case. It's like someone invented a good alarm system and then shared it with other security companies so as many people as possible could enjoy it. These companies then went out and provided the master-key to disable that alarm with the entire world... Who's to blame then?

              And as much as I like real-world analogies, they don't always work...

               

              Adobe released the PDF specifications to the world. It's an open ISO that anyone can use to develop a PDF viewer. Some companies do a better job than others in doing so, but the responsibility is with them. There's no "ISO police" that enforces the standard. And by the way, when you apply a security policy in Acrobat it is clearly stated that 3rd-party applications might not enforce it.

              • 4. Re: Google DocHub bypasses Adobe Security Settings
                Test Screen Name Most Valuable Participant

                This "untrained eye" needs to lean about digital signatures because security is not even a meaningful concept for PDF.  Just a word, some hints that are often ignored. Hence Adobe's clear warning. Signatures are used to prove something wasn't edited.

                • 5. Re: Google DocHub bypasses Adobe Security Settings
                  gdsafd Level 1

                  Thank you to everyone for your responses and helpful suggestions on how to address this issue. I did contact Adobe Support and spent about 1.5 hours trialing different settings and workarounds (unfortunately those didn't work... yet).... Luckily adobe is not taking the "not our fault, not our problem" approach but were very helpful and concerned regarding the issue. They have escalated the concern and are going to look for some sort of solution/ patch/ workaround/ update to help minimize the impact that DocHub has on adobe forms and various adobe security settings. Kisses.

                  • 6. Re: Google DocHub bypasses Adobe Security Settings
                    margueritek Level 2

                    If you add a digital signature to the document you still won't be able to keep Google from changing things. BUT, the signature will become invalid if that happens (because part of the signature validation process in Acrobat looks for field modification post signing). Did you look at the bar above the document when you opened it?

                    • 7. Re: Google DocHub bypasses Adobe Security Settings
                      gdsafd Level 1

                      Oddly enough the bar didn't appear stating that the signatures were invalid or properties altered. You can surely see in the Properties that the document had been edited and the PDF Producer had changed. But it completely wiped the "security method" to No Security. The other way you could tell is that the returned document came back with all of the fillable fields reopened and not flattened and their field properties altered, ie text extending past the field width and adding the black + sign (which was the first tip off). The end users however are just seeing a returned document that has been signed (some using desktop and others using ios) and aren't investigating any further than that. I did do staff education on how to detect this, though I'm not sure how long they'll be diligent about this extra step. For the few customers that we know are using DocHub we're just going to complete the form, print it and then scan it to them for the time being to help prevent adjusting the document and pricing info... this isn't the best solution as they could easily alter if they have Acrobat DC but it wont be as easy within the dochub app.

                      • 8. Re: Google DocHub bypasses Adobe Security Settings
                        margueritek Level 2

                        Google probably did a Full Save, that removed the digital signatures (but left the appearance). Not much can be done with non-compliant applications. Sorry. You probably need to find a way to "flatten" the fields you have filled in (that is, turn them into page content, no longer fields). But Acrobat doesn't have that feature. One workaround is to "re-fry" the document: Save it as a PDF through the PDF Printer. That should flatten everything.

                        • 9. Re: Google DocHub bypasses Adobe Security Settings
                          gdsafd Level 1

                          I hadn't thought about the pdf printer... good idea. Thanks. -g

                          • 10. Re: Google DocHub bypasses Adobe Security Settings
                            Bernd Alheit Adobe Community Professional & MVP

                            Acrobat can flatten form fields!

                            • 11. Re: Google DocHub bypasses Adobe Security Settings
                              margueritek Level 2

                              That wasn't much help. You could have said: Acrobat can flatten form fields! Look in:

                              Tools->Print Production->Preflight->Profiles->PDF Fixups->Flatten Annotations and Form Fields->Analyze and Fix

                               

                              Not very obvious, though.

                              • 12. Re: Google DocHub bypasses Adobe Security Settings
                                gdsafd Level 1

                                margueritek you're awesome!

                                 

                                Just a few notes:

                                 

                                Most of the end users are using Adobe Reader and thus dont have the option to flatten the document via Print Production. Although I did verify that this method did work to prevent dochub from editing the previously fillable fields.

                                 

                                The re-fry method also worked like a charm although I had to use microsoft print to pdf as the "adobe pdf" print option did not work due to the password security protection on the document... when tried it saved a .txt file saying the file was encrypted. When I "printed" the document using microsoft print to pdf it worked and I verified that dochub was unable to edit those fields.

                                 

                                So for now we'll be using this method, only downside is that we need to know which of customers are using dochub or else do this for every single document (which would be quite time consuming). Hopefully the staff over at Adobe will be successful in finding a solution that doesn't require "work-arounds" and will make this process much smoother. Then we can go back to using adobe pdf as it was intended.

                                 

                                Thanks again for all of your help margueritek... glad to hear from someone with solutions! -g