Cell 1
Cell 2
Cell 3
Cell 4
Cell 5
Cell 6

Detecting PDF Shadow Attacks with iText 7

iText Group NV // November 24, 2020

PDF in general PDF 2.0 PDF/A PDF/UA Member News

Here at iText we take PDF security very seriously. So, when a team of security researchers investigating issues relating to PDF encryption and digital signatures announced they had developed a new class of vulnerabilities called PDF Shadow Attacks, we acted quickly to investigate if there were any issues that might relate to our software.

The same team of researchers (largely based at Ruhr University Bochum (RUB) in Germany) published their discovery of shortcomings in PDF signature validations in PDF processing software in 2019. We addressed these findings, and how to avoid the vulnerabilities with iText in this blog post. Unlike the earlier vulnerabilities however, PDF Shadow Attacks aren’t cryptographic in nature. They are a completely different beast since they are rooted in the visual realm of PDF instead.

We quickly determined that no changes to iText were needed. The published attacks target PDF viewers and editors and are based on adding incremental updates to signed documents, utilizing objects or changed references that may seem innocuous but nevertheless cause a change of the visible document content.

In contrast, iText’s methods related to checking incremental updates do not attempt to make any judgement about whether a change to the PDF’s contents is valid. Or, to put it another way, either there are incremental updates or there are not.

During our investigations though, we discovered that it was actually possible to use iText to detect these types of attack. You don’t need to just take our word for it though. We also invited Michael Klink, independent PDF expert and top StackOverflow contributor @mkl, on board as a technical consultant to make a detailed analysis of the three types of Shadow Attack and how they work,

This analysis resulted in the following three-part series of articles taking a deep-dive into the PDF Shadow Attacks and demonstrating how to use iText 7 to secure your documents and workflows against suspicious PDF documents.

In Investigating PDF Shadow Attacks: What are Shadow Attacks? (Part 1) we go into detail into the Hide, Replace, and Hide-and-Replace variants of Shadow Attack, explaining exactly what they do, and how different PDF software may respond to different attacks.

With that out of the way, in Investigating PDF Shadow Attacks: In-Depth PDF Security using iText (Part 2) we dive straight into using iText 7 to prevent against documents using the Hide attacks specifically, where attackers can use PDFs containing content hidden beneath other content to fool PDF viewers. Code examples in Java and C# are provided to perform content analysis and detecting hidden content in documents.

Finally, in Investigating PDF Shadow Attacks: In-Depth PDF Security using iText (Part 3) we wrap up the series by using iText 7 to inspect documents which may be using the "Replace" and "Hide and Replace" methods. Once again Java and C# code examples are provided, this time for detecting rigged form fields and performing object structure analysis. We also explain how to reduce the risk of false positives when carrying out these types of analysis.

We hope these articles prove useful for protecting your documents, applications, and workflows against these types of attack. If they do, we’d love it if you let us know!

We also thank Michael Klink for his collaboration on this series of articles. Michael has been on Stack Overflow for the past 8 years, and in that time has proven to one of the most valued members of the iText community; answering various PDF, iText and digital signature-related questions posed by users.

If you’re interested in learning more about PDF security with iText 7, including an overview of encryption, redaction and digital signatures, we recommend watching the Encryption and Digital Signatures webinar we presented along with the PDF Association earlier this year. This webinar details how to protect PDFs with encryption and digital signatures using iText 7 Core, and also covers achieving secure content redaction with the pdfSweep add-on. Alternatively, see our recent blog on the top three ways to improve your PDF document security.

You can also check out our Digital Signatures solutions page for code examples, use cases and other resources.

Still have questions?

If you are interested in learning more or have additional questions, contact us

If you are interested in learning more about the iText 7 suite, click here

Original posts:

© 2020 Association for Digital Document Standards e.V. | Privacy Policy | Imprint