Shadow Attacks Mean You Have to Be Wary of More Than the Fine Print

October 7th, 2021   |     |  security & compliance

Back in those old days, you know when dinosaurs roamed the Earth, when you had to sign a contract they always warned you to “Read the Fine Print.” That was the part of the contract that was written in incredibly small font size and could possibly contain all the gotchas. For example, you might be signing a partnership agreement with someone, and the fine print says they get 100% of the profit after the first year. Today, you need to be wary of Shadow Attacks.

What is a Shadow Attack?

A shadow attack is where the malicious actor creates a document that has two versions of the content. One version might be the great partnership agreement two parties had agreed upon and one party digitally signs that agreement. But, then, the malicious actor changes the content to benefit themselves and now they have the digital signature of the victim to “prove” that they agreed to this second version of the content.

Usually this is done using PDF documents. There are supposed to be protections built into PDF viewing software to warn you if the pdf has been altered since it was signed, but there are unfortunately ways around these protections that utilize built in features. Researchers at Ruhr University Bochum were able to demonstrate how to perform shadow attacks and bypass any sort of protections that were built into many of the most popular pdf viewers on the market. They used simple features like Incremental Updates and Interactive Forms to hide malicious content from the victim when they are signing the document.

How Does a Shadow Attack Work?

The researchers identified three different approaches a malicious actor could take with a shadow attack:

  1. Hide — The hide method relies on malicious actors using the Incremental Update feature to hide a layer of content within the PDF that the signer will not initially see.
  2. Replace — The replace method uses the Interactive Forms feature to replace the original content with a modified value by embedding content in form fields.
  3. Hide-and-Replace — The hide-and-replace method actually embeds a second PDF document within the original document and uses it to replace the original.


How to Protect Against Shadow Attacks

This doesn’t mean that we should stop using PDFs and digital signatures and go back to hard copies. There are plenty of ways to trick people with hard copy contracts as well. It does mean, however, that companies need to be aware of these vulnerabilities and ensure that they have up-to-date and appropriately patched PDF viewing software installed on their company computers. This is just another example of how we all need to be ever vigilant and keep security at the top of our priority list.

Alicia Townsend, Dir. of Content and Documentation
About the Author

For almost 40 years, Alicia Townsend has been working with technology as both a consultant and a trainer. She has a passion for empowering others to use technology to make their lives easier. As Director of Content and Documentation at OneLogin, Ms. Townsend works with technical writers, trainers and content marketing writers to inspire and empower everyone to take advantage of what OneLogin’s platform has to offer them.

View all posts by Alicia Townsend

Alicia Townsend, Dir. of Content and Documentation
About the Author

For almost 40 years, Alicia Townsend has been working with technology as both a consultant and a trainer. She has a passion for empowering others to use technology to make their lives easier. As Director of Content and Documentation at OneLogin, Ms. Townsend works with technical writers, trainers and content marketing writers to inspire and empower everyone to take advantage of what OneLogin’s platform has to offer them.

View all posts by Alicia Townsend

Secure all your apps, users, and devices