Visual Signature Spoofing in PDFsresearch
The Portable Document Format, better known as PDF, is one of the most widely used formats for the exchange of digital documents. In 1999, support for digital signatures was added to PDF files with version 1.3.
Forged signatures exist roughly as long as signatures themselves, it is no surprise that since their introduction there have already been multiple successful attacks against the implementation of digital signatures in PDFs (e.g., see https://www.pdf-insecurity.org/).
Most previous attacks exploit vulnerable PDF applications so that they display invalid signatures as valid. However, what if we instead choose a different target: the user who views the document and must decide whether it is properly signed.
The question we ask is: Can we trick a user into believing an unsigned PDF is signed, using only the features defined in the PDF specification?
Visual Signature Spoofing is an attack technique in which an attacker attempts to imitate the appearance of a PDF application for signed documents. When a signed PDF is opened, multiple Signature Indicators are displayed in PDF applications informing the user that the currently opened PDF contains a trusted signature. Using these signature indicators, a user can make an informed decision about whether a document is signed and to be trusted. Visual Signature Spoofing undermines these trust assumptions by mimicking the behavior and appearance of real signature indicators.
Typical Signature Indicators in PDF Applications
During our research, we identified four types of User Interface (UI) elements that serve as signature indicators. To imitate these signature indicators, we first have to observe their typical behavior in the application.
The signature graphic is the visual representation of the signature in the PDF itself. It is often clickable to show further information about the signature, such as the signing date and the signee. The signature graphic is embedded in the PDF page and moves when the PDF is scrolled or zoomed.
Many PDF applications display a banner, typically at the top of the document viewport, which shows basic information about the validity of the signature and warns the user when verification problems occur. After the signature graphic itself, this signature bar is the most prominent signature indicator in PDF applications. Since the signature bar is part of the application UI, it remains unchanged when the user zooms and scrolls.
The signature panel is often located at the side of the document viewport and shows basic information like the verification status and signer of the PDF. It can be opened and closed by the user and, like the signature bar, does not change position or size when a user zooms or scrolls.
More specific information about the signature, e.g., details about the signature certificate, is displayed in pop-up windows. These windows can be opened in various places, such as by clicking the signature graphic. The appearance and behavior are partially dependent on settings of the operating systems such as the operating system color scheme. These windows can be moved by the user.
Visual Signature Spoofing Techniques
Next, we identified PDF features to imitate the signature indicator behavior. The following requirements need to be fulfilled for a convincing spoof:
The PDF objects must be movable for a correct positioning in the viewport.
The PDF objects must be interactive. Most interactions occur when a user clicks something. Additional interactions occur when a user hovers over an UI element with the cursor.
We must be able to freely choose the appearance of the PDF objects.
We should be able to hide PDF objects.
Alice and Bob use digital signatures in PDFs and trust each other's signature. The attacker Eve tries to create a PDF that imitates Alice's signature against Bob. The visual signature spoof is successful if the PDF does not contain a signature but convinces Bob that it is signed.
We assume that Bob only opens the document, reads it, verifies the signature by interacting with the signature indicators and closes it. Zooming and scrolling is also allowed.
This means that the goodness of a spoof depends only on how well the signature indicators in the PDF application can be spoofed.
Furthermore, we assume that the attacker Eve has the following capabilities when creating the spoof:
Eve cannot sign a PDF with a signature that is trusted by Bob.
Eve knows what Alice's signature visually looks like.
Eve knows basic information about the PDF application and OS that Bob uses.
The delivery method of the PDF is out of the scope of this research, so we assume that Eve can deliver the PDF to Bob without raising suspicion.
We evaluated the feasibility of Visual Signature Spoofing by creating spoofs for three commonly used PDF applications:
Adobe Acrobat Reader DC
All PDFs were evaluated on Windows 10.
In Acrobat Reader DC, we were able to position the widget annotations that make up the spoofed signature indicator freely in the viewport. Furthermore, we could move the widget annotations to react when the user scrolls or zooms. We were also able to hide or show annotations to imitate the user opening other signature indicators, e.g., a window. Overall, we were able to convincingly spoof the signature graphic, signature bar, signature panel, and to a lesser extent, popup windows.
There is some remaining behavior which we were not able to spoof in any PDF application during this research, for example:
We were not able to retrieve information about the OS color scheme. This means that the color of the spoofed windows might not fit the real accent color. We therefore chose a neutral color like white for the windows.
All spoofed signature indicators react with significant lag to the user zooming or scrolling.
These limitations show that visual signature spoofing is unlikely to succeed under scrutiny. Additionally, the creation of a visual signature spoof is time consuming since it must be custom-made.
Still, visual signature spoofing might work in other attack scenarios, such as targeted social engineering attacks (e.g., CEO fraud). The spoof is much more convincing when the attacker is in control of the PDF application, and merely shows it to the victim without letting them interact with it. For example, an attacker might show the receptionist a contract “signed” by the CEO, to gain entry to the facility.
Visual Signature Spoofing was partially successful in forging signed documents.
Additionally, PDF applications should clearly separate the PDF content from the applications UI elements, especially if they are security relevant. For example, the signature bar could be moved to the top of the application, so that spoofing the signature bar would require a spoof of all the other UI elements between it and the viewport.
We attempted to contact the affected vendor Adobe through their PSIRT multiple times since mid February 2023, but never received a response.
Try it Yourself
This research was conducted by Tobias Friese during his bachelor thesis.
In 2021, he joined SEC Consult as an intern, and continued working as an associate security consultant.
The blogpost was edited and published with the help of the SEC Consult Vulnerability Lab.