There have been several stories recently about collisions in MD5 hashing, the latest being a report from the Institute of Cryptography at Ruhr University giving two documents with different content but the same MD5 hash. One is a letter of recommendation, and the other is a permission to access secret files. The underling presents her boss with the first to sign, then transfers the signature to the second one.
However, one doesn’t need to do clever tricks with MD5 to achieve this end. PostScript is a Turing-complete page description language, and other document scripting languages, such as Visual Basic for Applications (Microsoft Word’s macro language) are similarly powerful. Both have access to their own filename.
So, for example, you could create a Microsoft Word document containing a macro which hid or showed different bits of text depending on the value of ActiveDocument.Name. With one name, it’s a letter of recommendation; with another, it’s a grant of permission for access to top secret files. So you present it to the victim to sign when it has one name – so when they view it, it looks innocent – and then rename it before sending it to the Security department, so when they view it you get your secret access.
You could argue that the filename should be incorporated into the data which is signed – but the script could switch on any external info it has access to, such as the IP address of the machine, or the name of the logged-in user.
The lesson here is clear: don’t sign bits you didn’t create.