Skip to main content
PDFb2PDFb2
Security7 min read

The Signed PDF You Approved Might Not Be the One They're Reading

PDF shadow attack manipulating a digitally signed document to display altered content after signing
Your Signed PDF May Not Be What They're Reading

Imagine signing a contract. You read every page, initial every clause, and sign your name at the bottom. The notary stamps it. It is official. Then someone takes that signed contract home and, without breaking the seal, makes entirely different text appear on page three. Your signature still looks valid. The notary stamp still checks out. But the contract now says something you never agreed to.

That is not a hypothetical. In 2020, a team of German security researchers demonstrated exactly this attack against digitally signed PDFs. They called them "shadow attacks," and they worked against 16 of the 29 most widely used PDF applications in the world — including the most popular commercial reader.

How Digital Signatures Are Supposed to Work

A digital signature on a PDF is fundamentally a mathematical promise. When you sign a document, the signing software computes a cryptographic hash — a unique fingerprint — of the document's contents. That hash is then encrypted with your private key. Anyone with your public key can verify: (1) the hash matches the document, and (2) only your private key could have produced the signature.

If someone changes a single character in the document, the hash will not match. The signature breaks. Verification fails. That is the entire point — digital signatures are supposed to make tampering detectable. And at the cryptographic level, they do. The problem is not in the cryptography. The problem is in how PDF viewers decide what counts as a "change."

The Invisible Ink Trick — Three Flavors

The researchers identified three distinct variants of the shadow attack. Each one exploits the PDF specification's flexibility — the fact that a PDF is not a flat image but a structured container that can hold hidden objects, overlapping layers, and deferred references.

Variant 1: Hide and Replace

The attacker creates a PDF with two versions of the content stacked on top of each other — like writing one letter on a transparency laid over a different letter. The visible layer shows the "clean" content the signer reviews. After signing, the attacker adds an incremental update (which the PDF spec explicitly allows) that changes which layer is visible. The bottom layer — containing the attacker's real content — becomes what everyone sees. The signature still covers the entire file because both layers were present when the document was signed.

Variant 2: Replace via Overlay

Instead of hiding entire pages, the attacker embeds objects — images, text blocks, form fields — that are referenced in the signed document but initially rendered as invisible (zero opacity, off-page coordinates, or behind another object). After signing, an incremental update repositions these objects to cover the original content. Think of it as pre-positioning sticky notes inside a sealed envelope. They were always in there. The attacker just tells them where to stick after the seal is applied.

Variant 3: Hide and Replace via Form Fields

PDF forms allow field values to be updated after signing — this is by design, so you can fill in a form and then sign it. The attack pre-defines form fields that visually overlap the document's text content. After signing, the attacker sets the field values to display whatever text they want, covering the original content with what appears to be normal document text. The signature validates because the form field definitions were part of the signed content. Only the values changed — which the PDF spec considers permissible.

The Scoreboard: 16 out of 29

The researchers tested their three attack variants against 29 PDF applications, including the tools that governments, banks, law firms, and enterprises rely on for legally binding signatures. The results were not reassuring.

16 applications were vulnerable to at least one variant. The list included the most widely used commercial and open-source PDF viewers. Some were susceptible to all three attack types; others fell to just one. These are not obscure tools — they are what hundreds of millions of people use to open, trust, and act on signed documents every day.

The underlying issue is that the PDF specification allows incremental updates to a signed document — an intentional design feature that enables things like form filling after signing. The specification does not clearly define which incremental updates should invalidate a signature and which should not. Different viewers draw that line in different places, and attackers exploit the ambiguity.

What This Means for E-Signatures

Shadow attacks do not break the cryptography of digital signatures. They exploit something more subtle: the gap between what the signer saw and what the recipient sees, even though both are looking at a document with a "valid" signature. The trust model of digital signatures assumes that a valid signature means the document has not been altered. Shadow attacks prove that assumption wrong.

For any workflow where a signed PDF is the authoritative record — real estate closings, loan agreements, government filings, procurement contracts — this is a fundamental problem. The signer and the recipient may be looking at different documents, and neither one can tell.

Practical Defenses

Vendors have been patching since the vulnerabilities were disclosed. Major PDF readers released fixes, and many other viewers have tightened their incremental update validation. But patching is only part of the picture. These steps reduce exposure:

  1. Update PDF viewers regularly. Patches for these specific attacks exist, but they only take effect once installed. Older versions of most PDF readers remain vulnerable.
  2. Look beyond "signature valid." A valid signature paired with a warning about modifications after signing is worth investigating. Some viewers flag incremental updates separately from signature status.
  3. Sign documents locally. PDFb2's Sign tool adds signatures client-side, so the document never passes through a server where hidden content could be injected.
  4. Add password protection after signing. PDFb2's Protect tool adds encryption as a second layer of tamper resistance — an attacker who cannot open the file cannot add incremental updates to it.
  5. Flatten interactive elements before signing. Documents with form fields, layers, or annotations can be flattened into simple page-based PDFs before signing. This removes the interactive elements that shadow attacks rely on. Fewer moving parts means fewer places to hide.
  6. Cross-check across viewers. A signed document that renders differently in two PDF readers is a red flag. Legitimate documents look the same everywhere.

The Bigger Lesson

PDF is a 30-year-old format that has accumulated extraordinary complexity. The specification is over 1,000 pages long, and it supports features — layers, forms, JavaScript, embedded files, incremental updates — that most users never see or think about. Shadow attacks succeeded because they found a gap between what the spec allows and what users expect. The signature was mathematically valid. The document was visually compromised. Both statements were true at the same time, and that is the kind of bug that is hardest to fix — because it lives in the space between code and trust.

Sign and Protect PDFs — Entirely in Your Browser

PDFb2 lets you sign documents and add password protection without uploading to any server. Your files stay on your device, and you control what gets signed.

Sign PDF NowProtect PDF