Shadow Attacks let Attackers Replace Content in Digitally Signed PDFs

upstart writes in with an IRC submission for SoyCow639:

Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs:

Called "Shadow attacks" by academics from Ruhr-University Bochum, the technique uses the "enormous flexibility provided by the PDF specification so that shadow documents remain standard-compliant."

The findings were presented yesterday at the Network and Distributed System Security Symposium (NDSS), with 16 of the 29 PDF viewers tested - including Adobe Acrobat, Foxit Reader, Perfect PDF, and Okular - found vulnerable to shadow attacks.

To carry out the attack, a malicious actor creates a PDF document with two different contents: one which is the content that's expected by the party signing the document, and the other, a piece of hidden content that gets displayed once the PDF is signed.

"The signers of the PDF receive the document, review it, and sign it," the researchers outlined. "The attackers use the signed document, modify it slightly, and send it to the victims. After opening the signed PDF, the victims check whether the digital signature was successfully verified. However, the victims see different content than the signers."

In the analog world, the attack is equivalent to deliberately leaving empty spaces in a paper document and getting it signed by the concerned party, ultimately allowing the counterparty to insert arbitrary content in the spaces.

Shadow attacks build upon a similar threat devised by the researchers in February 2019, which found that it was possible to alter an existing signed document without invalidating its signature, thereby making it possible to forge a PDF document.

Read more of this story at SoylentNews.