A research showed that 15 of 27 PDF viewer applications for desktops computers is vulnerable to a new attack, called Shadow attack and allows malicious hackers to modify the contents of digitally signed PDF documents.
The list of vulnerable applications includes: Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement and more, according to new research published this week by academics Ruhr-University Bochum in Germany.
The main idea behind Shadow Attack is the concept of “projection levels”- different overlapping content sets in a PDF document.
During Shadow Attack, the attacker prepares a PDF document with different content sets and sends it to a victim. The victim digitally signs the document, but when the attacker accepts it, it changes the visible content (where the victim signed it) to another.
Because the content was included in the original document signed by victim, the change does not affect the encrypted signature and allows the attacker to use the legally binding document for illegal activities - such as replacing the recipient of a payment or modifying the terms of a contract, etc.
According to the research team, there are three variants of Shadow Attack:
- HideAttackers use the PDF Incremental Update feature to hide content without replacing it with anything else.
- ReplacementAttackers use the Interactive Forms feature of PDF to replace the original content with a modified value.
- Hide and replaceAttackers use a second PDF document contained in the original document to replace it completely.
The third variant is the most powerful, since the content of the entire document can be modified.
"The attacker can create a complete document that modifies the presentation of each page, or even the total number of pages, as well as any object contained in it."
The researchers say that Shadow Attack is effective because PDF documents, even when digitally signed, allow the presence of PDF objects that are not used in their content.
The applications PDF viewers that do not allow additional PDF objects when signing a document are not affected by Shadow Attack.
There are available patches
The academics said they collaborated with CERT-Bund (Computer Emergency Response Team of Germany) and contacted PDF application developers to report the new threat and find a solution before publishing their findings.