[fivesigma]

Is this length extending [1] the already existing Google attack?

[1] https://en.wikipedia.org/wiki/Length_extension_attack

Edit: yes, looks like it is.

As sp332 and JoachimSchipper mentioned, the novelty here is that it contains specially crafted code in order to conditionally display either picture based on previous data (the diff). I can't grok PDF so I still can't find the condition though. Can PDFs reference byte offsets? This is really clever.

Edit #2: I misunderstood the original Google attack. This is just an extension of it.

[sp332]

Yes, it's a length extension. Both images are in both outputs. Both outputs also contain a conditional switch to choose which image to show based on the previous data, where the collision lives.

Edit to your edit: This is more of a JPEG hack than a PDF hack. https://news.ycombinator.com/item?id=13715761

[JoachimSchipper]

Yes; you extend with a carefully-chosen "if" to generate distinct-looking files.

[TorKlingberg]

It seems so. I can add the same arbitrary data at the end of two pdfs generated by this tool, and they are still a collision. I didn't know SHA-1 is so susceptible to length extension. Is there no internal state in the algorithm that would be different even if the hash output is identical?

[danielweber]

If you were to somehow get two messages with the same SHA-3 hash, you could keep on appending the same data to both and they would keep the same SHA-3. But SHA-3 is explicitly not vulnerable to length extension attacks.

[fivesigma]

No they wouldn't, since its internal state is different than the output.

Same goes for SHA-224 and SHA-384.

[danielweber]

Damn, right, you have to get them with the same internal state.

[danielweber]

No. The messages differ in their internals.

The length extension attack leverages the weakness that people think HASH(secret + message) is a signature only they can create as long as only they know "secret".