Shadow Attacks can Find or Replace Content in Digitally Signed PDFs

A “Shadow” attack is when the attacker creates a PDF with two different contents – the content expected by the signer and the hidden content that is only shown afterwards by the attacker.  

Equivalent to having a blank space above a signature in a paper-based scenario, this attack would leave the person signing the document seeing the content they expect and the recipient seeing the hidden content of the shadow document. The attacker accomplishes this by preparing the shadow document with its hidden content, and the PDF signers receive, review, and sign it. Once signed, the hidden content is then revealed or modified by the attackers, and it is sent to the recipient, who has no idea that the meaning or context could have been altered.

There are three different kinds of Shadow attacks – Hide, Replace, and Hide-and-Replace content in digitally signed PDFs. The attacks are sophisticated and difficult, as they require access to the documents both initially and in the transfer from signer to recipient.

PDF viewer vendors have applied countermeasures to prevent many attacks, but 16 of the 29 vendors tested were vulnerable to these types of attacks. They take advantage of CVE-2020-9592 and CVE-2020-9596. As of mid-December 2020, 11 of the 29 remained unpatched.

As part of their investigation, the researchers who discovered this vulnerability outlined a tool called PDF-Detector that will reveal shadow attacks at two stages of the process: before the PDF is signed and after it has been manipulated. To read more about Shadow Attacks, the researchers have published their paper for the Network and Distributed Systems Security Symposium 2021, 21-25 February 2021.