My last post was all about how to secure PDF documents. So it’s only fair that I point you to information to undermine that good advice. To be fair and balanced. And leave no good deed unpunished.
Belgian security blogger and hacker extraordinaire Didier Stevens recently posted this entry all about hiding data in PDF files.
My corrupted PDF quip inspired me to program another steganography trick: embed a file in a PDF document and corrupt the reference, thereby effectively making the embedded file invisible to the PDF reader.
Essentially the trick is to manipulate the PDF keyword /EmbeddedFiles which points to the dictionary of embedded files such that it is not recognized by the PDF reader as a valid keyword.
As names defined in the PDF specification are case sensitive, changing the case changes the semantics: /Embeddedfiles has no meaning, and thus the PDF reader ignores it and doesn’t find the embedded file.
And voila! The embedded file is not displayed by the PDF reader.
Of course, once you know the stego trick, it’s easy to recover the embedded file: edit the PDF document with an hex editor and change the case back to /EmbeddedFiles.
But if you want to make it harder to detect, use PDF obfuscation techniques. Or embed the file twice with incremental updates. First version is the file you want to hide, second version is a decoy…
The PDF language offers so many features to hide and obfuscate data!
Thanks Didier for news we can abuse.
