Ruhr-Uni-Bochum

Content of signed PDF documents can be changed unnoticed

In 2019, researchers from Bochum identified vulnerabilities in PDF signature that enabled them to manipulate the content of documents unnoticed.

PDF signatures are supposed to protect documents from unnoticed changes. © RUB, Marquard

Researchers from the Horst Görtz Institute for IT Security (HGI) at Ruhr-Universität Bochum have found a new security gap in the digital signature of PDF documents. PDF signatures are used to protect important documents such as invoices or contracts from modification. The group had already pointed out in 2019 that the contents of PDF documents can be manipulated despite the signature. The manufacturers of many PDF applications reacted by implementing countermeasures. In the current study, the IT experts show that document contents can still be changed unnoticed in many programs in several ways.

The researchers published details of the attacks, which they named shadow attacks, on 22 July 2020 on this website. They previously reported the vulnerabilities to the Computer Emergency Response Team at the German Federal Office for Information Security. The applications in which the vulnerability has already been eliminated can be viewed online.

After the vulnerabilities described in 2019 were identified, a widespread countermeasure was implemented, based on informing users about changes to a signed PDF document. The changes are classified as “potentially dangerous” and “harmless”. Dr. Christian Mainka, Dr. Vladislav Mladenov (currently visiting professor at the University of Konstanz), Simon Rohlmann and Professor Jörg Schwenk from the Chair of Network and Data Security analysed the harmless and thus permitted changes to PDF documents in more detail.

Almost all analysed applications have vulnerabilities

The researchers checked 28 popular PDF viewers for the Windows, Mac and Linux operating systems. They found serious vulnerabilities in 15 applications: users were not warned that the document had been altered. Another ten applications indicated changes, but didn’t classify them as manipulations. “Our findings give cause for concern. We were able to manipulate parts or even the entire signed document without the signature verification noticing this change,” says Vladislav Mladenov.

An overview of all tested and affected applications is available here.

Two-stage attack

Shadow attacks are carried out in two phases. While preparing for the attack, the attacker uses properties of the PDF data structure to hide content invisibly in the PDF – like a shadow. He then presents the prepared document to a signer, for example his supervisor or consortium partner. The latter wants to sign the document – for example an invoice or a contract – and checks its content in his PDF application. To him, the document looks correct, so he signs it digitally. The digital signature is now supposed to protect the content of the PDF file from changes.

In the second step, the attacker receives the signed file and makes the original content that he had previously hidden visible. Generally, such changes to the document are considered harmless because no new content is added; rather only content from the signed area is accessed. However, the manipulation can completely change the displayed content of the document.

Three types of shadow attacks

The HGI team tested three different attack classes. “Shadow attack hide” means that content relevant to the victims is hidden behind a visible layer. For example, an attacker could hide the text “You are fired. Get out immediately!” behind a full-page image that says: “Sign the document to get a reward”.

The idea behind the “shadow attack replace” attack class is to add new objects to the signed document that are considered harmless but directly affect the appearance of the signed content. For example, (re)defining fonts doesn’t directly change the content; however, self-defined fonts allow numbers or letters to be swapped at will.

The attack variant “shadow attack hide-and-replace” hides a second, fully defined PDF document with different content in the visible document.

Digital PDF signatures widely used

Since the regulation on “Electronic Identification, Authentication and Trust Services” came into effect, PDF signatures play an important role in the European Union. For example, contracts in EU projects are digitally signed; in Austria this also applies to all new laws. Companies like Amazon use PDF signatures to sign their invoices. According to Adobe, its digital signing service was used eight billion times in 2019.

Press contact

Dr. Vladislav Mladenov
Chair for Network and Data Security
Horst Görtz Institute for IT Security
Ruhr-Universität Bochum
Germany
Phone: +49 234 32 26742
Email: vladislav.mladenov@rub.de

Dr. Christian Mainka
Chair for Network and Data Security
Horst Görtz Institute for IT Security
Ruhr-Universität Bochum
Germany
Phone: +49 234 32 26796
Email: christian.mainka@rub.de

General inquiries can also be made to team@pdf-insecurity.org.
Further contact details are available here.

 

General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.