Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chrome Zero-Day Exploited to Harvest User Data via PDF Files

Exploit detection service EdgeSpot says it has spotted several PDF documents that exploit a zero-day vulnerability in Chrome to collect information on users who open the files through Google’s web browser.

Exploit detection service EdgeSpot says it has spotted several PDF documents that exploit a zero-day vulnerability in Chrome to collect information on users who open the files through Google’s web browser.

EdgeSpot claims to have identified several samples in the wild. When one of the PDFs is opened with Chrome, a document is shown to the user, but various pieces of information are collected and sent to a remote server in the background.

Researchers say there is no suspicious activity when the files are opened using a viewer such as Adobe Reader, but outbound traffic has been detected when they are opened with Chrome.

EdgeSpot says the specially crafted documents, which have been observed since late December, collect data such as IP address, operating system and Chrome versions, and the full path of the PDF file on the victim’s system.

The data is sent via an HTTP POST request to a remote server without requiring any user interaction. The samples analyzed by the researchers have been sending the data to one of two domains: burpcollaborator.net or readnotify.com.

A screenshot posted by EdgeSpot shows that one of the malicious files was a modified version of a document from Lonely Planet on the history of the Bay Islands in Honduras. Based on the names of the malicious files, they all appear to reference Honduras.

A majority of the samples found by EdgeSpot have very low detection rates on VirusTotal at the time of writing – they are either marked as “clean” by all antiviruses or they are detected by only 2-3 products.

EdgeSpot said it reported its findings to Google on December 26. However, it claims that Chrome developers only plan on rolling out a fix in late April. SecurityWeek has reached out to Google for comment and will update this article if the company responds.

Advertisement. Scroll to continue reading.

“We decided to release our finding prior to the patch because we think it’s better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away,” EdgeSpot said.

Until a patch is released, users have been advised to avoid opening suspicious PDF documents via Chrome and use other PDF viewers.

Adobe also released patches recently for some Reader vulnerabilities that can be exploited to harvest user data via PDF files.

UPDATE. Google has told SecurityWeek that it does have a fix in place and is planning on rolling it out in the near future.

Security expert Patrick Wardle has analyzed the PDFs. The problem, according to Wardle, is that Chrome doesn’t alert users when a PDF submits data to a remote server, which allows this type of tracking. He believes this should not be classified as a “zero-day.”

The researcher pointed out that the ReadNotify.com domain referenced by EdgeSpot specializes in this type of tracking and it has been around since 2010.

“It’s a bug in the sense that Google Chrome should alert the user about what the PDF document is trying to do,” Wardle told SecurityWeek. “Acrobat Reader for example will warn the user.”

“I’m more saying that this PDF is simply generated by a company that develops tracking capabilities. And has been using this technique for a decade. So I wouldn’t really say it’s a zero day flaw or something that’s recent or that now,” Wardle added. “In other words ReadNotify is a company that says ‘we can track when a PDF document is opened’ and this is how they do it, and the document that these researchers uncovered was simply one of these documents.”

Related: Attackers Use Steganography to Obfuscate PDF Exploits

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.