Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

Researchers Show How Digitally Signed PDFs Can Be Manipulated

Attackers Could Use Tactic to Insert Malicious Content
Researchers Show How Digitally Signed PDFs Can Be Manipulated
Changing the content on digitally signed PDFs (Source: Ruhr University Bochum)

Hackers could manipulate certain digitally signed PDF documents to add malicious content, according to a study by researchers at Germany's Ruhr University of Bochum. The researchers found 16 PDF apps vulnerable to such vulnerability exploits.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

The researchers note the "shadow attack" tactics involve injecting invisible content during the signing of a document. The exploits don't involve exploiting any parsing vulnerabilities or JavaScript injection. Instead, they take advantage of what the researchers describe as "the enormous flexibility provided by PDF specifications."

"The central concept of shadow attacks is that the attackers prepare a PDF document by injecting invisible content – shadow content," the report notes. "Despite the integrity protection provided by the digital signature, the attackers can modify the signed shadow document and change the shadow content’s visibility. Nevertheless, the manipulation is not detected, and the digital signature remains valid."

As a result, attackers could use the shadow document to add, remove or replace the content in digitally signed PDFs before validation of the signature. This can apply to contracts, invoices and other documents using secure signatures. Recipients of the altered documents see different content than the person who signed it.

The researchers who tested the technique found that 16 of 29 PDF apps were vulnerable to shadow attacks. These included Adobe Acrobat, Foxit Reader, Perfect PDF and Okular.

The researchers provided a detailed vulnerability report to Germany's CERT-Bund. "Some of the vendors contacted us regarding a re-test of their countermeasures, which we also provided," the researchers say.

Attack Tactics

Tests by the university researchers determined that after an attacker injected shadow document details before a PDF was signed, they could:

  • Hide content: The attackers could overlay images or form fields to the hide the content.
  • Replace content: Attackers could change the document's visible content by adding malicious content before the PDF is signed instead of modifying the PDF after the signature has been applied.
  • Hide and replace content: Because the PDF signers cannot detect the hidden content, the attackers could send a shadow PDF with a hidden description of another document within the invisible document. After signing, the attacker could append the document with the hidden content.

Adobe Vulnerability

The report notes the shadow attack in Adobe Reader resulted in researchers achieving privilege escalation on Adobe products that allowed them to perform highly privileged actions on victims’ computers.

This month, Adobe released patches for several other critical vulnerabilities in Adobe Reader and other critical bugs in Adobe Acrobat, Magento, Photoshop, Animate, Illustrator and Dreamweaver.

In November, the company released patches for 14 vulnerabilities in Adobe Acrobat and Reader for Windows and macOS which, when exploited, could lead to remote code execution.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.