Shadow Attack: Digitally signed PDF files prone to manipulation

Researchers at the Ruhr University in Bochum subsequently changed the content of signed documents. 15 out of 28 PDF viewers do not recognize the changes and incorrectly confirm the validity of the signature. Applications such as Adobe Acrobat and Foxit Reader are affected.

Researchers at the Ruhr University in Bochum have found a way to subsequently change the content of digitally signed PDF documents. The attack they called Shadow Attack would allow, for example, adding additional clauses to contracts or changing amounts and account details after company invoices were released for payment.

In their report, the researchers describe three variants of Shadow Attack. Of 28 examined PDF viewers, including applications such as Adobe Acrobat Pro, Adobe Acrobat Reader and Foxit Reader, 15 were vulnerable to at least one variant. The affected manufacturers were informed in early March 2020 in cooperation with the Federal Office for Information Security.

Shadow Attack Hide (Image: Ruhr University Bochum)All three variants are based on weaknesses that the researchers had already made public in February 2019. At that time, they found that PDF applications are checking possible changes to signed PDF documents to decide whether the signature is valid. However, some changes are considered “harmless” so that the applications do not issue a warning. However, these “legitimate” changes can be used to change the full content of a document.

The three new attack variants that are based on this technique are called Hide, Replace and Hide and Replace. At Hide, the researchers hid an invisible element with additional or different content behind a visible element. Replace allows you to add new elements afterwards. The PDF viewers classify the new elements as irrelevant. This obviously includes fonts, although it is possible to exchange numbers, for example, to change invoice amounts.

Hide and Replace combines both variants. In this way, the researchers were able to completely replace the content of a document with previously hidden content.

“Hide and Replace is the most powerful variant because the content of the entire document can be exchanged. The attacker can create a complete shadow document that affects the appearance of each individual page or even the total number of pages and each object they contain, ”the researchers explained. “A possible disadvantage could arise if unused objects are removed during the signing process. This could delete the shadow elements, making the second step of the attack unnecessary. A security scanner could also detect the unused objects in the PDF file and issue a warning. None of these disadvantages are currently occurring. “

Patches are now available for most affected applications. They eliminate the vulnerabilities with the identifiers CVE-2020-9592 and CVE-2020-9596. For example, they have been available for Adobe’s PDF applications since May. Foxit even released its fixes in April.

Collaboration platform Slack: work efficiently – no matter where

Before COVID-19, remote work was almost unthinkable for many companies. Today they realized that it can work very well if the general conditions are right. Find out in this webinar how you can optimally react to changing working conditions with the Slack collaboration solution.

Leave a Reply

Your email address will not be published. Required fields are marked *