Security News > 2021 > February > Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs
Researchers have demonstrated a novel class of attacks that could allow a bad actor to potentially circumvent existing countermeasures and break the integrity protection of digitally signed PDF documents.
To carry out the attack, a malicious actor creates a PDF document with two different contents: one which is the content that's expected by the party signing the document, and the other, a piece of hidden content that gets displayed once the PDF is signed.
"The attackers use the signed document, modify it slightly, and send it to the victims. After opening the signed PDF, the victims check whether the digital signature was successfully verified. However, the victims see different content than the signers."
Shadow attacks build upon a similar threat devised by the researchers in February 2019, which found that it was possible to alter an existing signed document without invalidating its signature, thereby making it possible to forge a PDF document.
Although vendors have since applied security measures to fix the issue, the new study aims to extend this attack model to ascertain the possibility that an adversary can modify the visible content of a digitally signed PDF without invalidating its signature, assuming that they can manipulate the PDF before it's signed.
At its core, the attacks leverage "Harmless" PDF features which do not invalidate the signature, such as "Incremental update" that allows for making changes to a PDF and "Interactive forms" to hide the malicious content behind seemingly innocuous overlay objects or directly replace the original content after it's signed.