Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Researchers Disclose New Methods for Replacing Content in Signed PDF Files

A team of researchers from the Ruhr University Bochum in Germany has disclosed a series of new attack methods against signed PDF files.

A team of researchers from the Ruhr University Bochum in Germany has disclosed a series of new attack methods against signed PDF files.

Dubbed Shadow Attacks, the new techniques allow a hacker to hide and replace content in a signed PDF document without invalidating its signature. The hacker can create a document with two different contents, one that the signer expects to see and one that will be displayed to the recipient of the document.

“The Signers of the PDF receive the document, review it, and sign it. The attackers use the signed document, modify it slightly, and send it to the victims. After opening the signed PDF, the victims check whether the digital signature was successfully verified. However, the victims see different content than the Signers,” the researchers explained.

They have tested 28 PDF viewer applications and found that 15 of them were vulnerable to at least one of the attacks, including apps made by Adobe, Foxit, and LibreOffice. These three organizations have already released patches, but many of the impacted vendors either did not respond to the researchers’ messages or they provided no information about the availability of patches.

The same researchers previously disclosed methods for breaking PDF file signatures and making unauthorized changes to signed documents. They have now presented three new attacks on PDF signatures.

Organizations and individuals — this includes governments, researchers and businesses — often sign PDF documents to prevent unauthorized changes. If someone makes modifications to the signed document, its signature should become invalid.

However, the researchers at Ruhr University Bochum have demonstrated three variants of the Shadow Attacks, which attackers can leverage to hide, replace, or hide and replace content in PDF files. The vulnerabilities that allow these attacks are tracked as CVE-2020-9592 and CVE-2020-9596.

The “Hide” variant of the Shadow Attacks involves hiding some content in a PDF behind another layer, such as a full-page image. In an attack scenario described by the experts, the attacker sends the signer a document with an image of an enticing or harmless message on top of the content they want to hide. Once the document has been signed and sent back to the attacker, they can manipulate the file so that the image is no longer rendered by the PDF viewer, which makes the hidden content become visible.

Shadow Attacks

The “Replace” variant of the attack involves appending a new object — an object that is considered harmless but which can impact the way the content is presented — to a signed document.

“For instance, the (re)definition of fonts does not change the content directly. However, it influences the view of the displayed content and makes number or character swapping possible,” the researchers explained.

The “Hide-and-Replace” variant, which the researchers described as “the most powerful,” enables an attacker to change the entire content of a signed document. In this attack, the hacker inserts hidden content and visible content into the document using two objects that have the same object ID, and sends it to the target. Once they receive the signed document, the attacker appends a new Xref table and a new Trailer so that the hidden content is displayed instead of what the victim saw before signing the document.

Related: Nitro Pro Vulnerabilities Expose Many Enterprises to Attacks

Related: Chrome Zero-Day Exploited to Harvest User Data via PDF Files

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.