In this experiment, we demonstrate how to create a malicious PDF document that
- changes its displayed content with time (while the file stays the same)
- displays different content to different people
In the first scenario, an attacker can get the victim to agree to something, while later misrepresenting what the victim agreed to.
In the second scenario, an attacker can leverage a “confused deputy” to defraud a third party. Imagine sending a PDF to a person having approval authority with a message “please approve this invoice and forward to the payment department”. In the payment department, the “approved” invoice displays a different claimant and/or amount than to the approver.
This repository contains:
- an example proof-of-concept PDF
- a script to generate such PDFs (using PDF-LIB.js)
In our daily life, we often think of PDF documents as static and immutable. This mental model is wrong.
A PDF document can contain “forms” and a dynamic behavior via embedded JavaScript code attached to these forms. We note that there are hardly any constraints on what a form can look like. In our proof of concept, the form field covers the complete visible document area. It is possible to build convincing documents that integrate forms organically in other ways, though.
The text of our document is generated by the JavaScript program embedded in the document. The generation happens in the reader, at the time of opening the document.
So what can an embedded program do? The APIs available to it are limited, but the limitations are mostly centered around preventing the program from changing the state outside of the PDF reader.
The program has read access to the real-time clock (the Date object, specifically), which already enables attack scenario #1. Furthermore, the Date also tells the program about the time zone and the locale of the system running the PDF reader. In certain scenarios (multinational corporation or other distributed organization), this info
