Shadow Attack lets hackers replace/forge digitally signed PDF content


New ‘Shadow Attack’ can forge and replace content in digitally signed PDF files;15 out of the 27 PDF viewers are vulnerable

Researchers from Ruhr-University Bochum in Germany have discovered a new way that can enable fraudsters, scammers, and hackers to replace or forge digitally signed PDF documents. The researchers have named this vulnerability as Shadow Attack.

The research paper presented by the researchers comprising of Christian Mainka, Vladislav Mladenov, Simon Rohlmann, Jorg Schwenk found the most used PDF readers like Adobe Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, etc., are vulnerable to this attack. The researchers found that 15 out of 27 desktop PDF viewer Apps available online are vulnerable to Shadow Attack.

The Shadow Attack has been issued its own unique identifiers, CVE-2020-9592 and CVE-2020-9596, and have a severity score of 7.8/10. The Shadow Attack relies on the concept of “view layers” to forge/replace the content of any digitally signed PDF documents. The idea of Shadow Attacks is that the attackers create a PDF document with two different contents: content expected by the authority reviewing and signing the PDF and hidden content that will be displayed after the PDF is signed.

Any potential hacker could use Shadow Attack to forge the digitally signed PDF document by sending a legitimate-looking PDF document for signing. Since the forged layer resides beneath the surface when the PDF is digitally signed, it doesn’t break the cryptographic signature. This method can be used by hacker commit fraud/cheat and scam.

Different vulnerable PDF Readers for Windows/macOS/Linux:

and signing the PDF and hidden content that will be displayed after the PDF is signed.

According to the researchers, potential hackers could use Shadow Attack in three ways:

  • By hiding the PDF content
  • By replacing the PDF content
  • By hiding and replacing the PDF content

The researchers say that they have informed the German CERT-Bund about the two vulnerabilities. The PDF Reader makers have patched their readers against the exploit. You should update your Adobe or any other reader to protect yourself from Shadow Attack.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments