Malware, Phishing, Threat Management

Shadow attacks let hackers replace content in digitally-signed PDF

Researchers from Ruhr-University Bochum in Germany have unveiled a new attack class that could enable the bypassing of security countermeasures in digitally signed PDF documents, utilizing the “enormous flexibility provided by the PDF specification" so that shadow documents remain standard-compliant,” according to The Hacker News.

The method of the attack involves the threat actor creating a PDF document containing content that the party signing the document expects to see, plus a piece of concealed content that becomes visible after the PDF is signed.

“The signers of the PDF receive the document, review it, and sign it. The attackers use the signed document, modify it slightly, and send it to the victims. After opening the signed PDF, the victims check whether the digital signature was successfully verified. However, the victims see different content than the signers,” the researchers explained.

The researchers tested 29 PDF viewers and found 16 – including Adobe Acrobat, Perfect PDF, Okular and Foxit Reader – that were vulnerable to shadow attacks.

Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.