Security company EdgeSpot has discovered PDF documents that take advantage of a zero-day leak in Google Chrome’s PDF viewer to collect information.
EdgeSpot has discovered two different sets of PDF files, one of which was distributed in October 2017 and the other in September 2018.
The first batch sent user data back to the domain readnotify.com, while the second sent it to zuxjk0dftoamimorjl9dfhr44vap3fr7ovgi76w.burpcollaborator.net. The PDFs showed this behavior only in Chrome’s PDF viewer, not in other PDF viewers.
The researchers did not find any other malicious code in the PDF files, but informed Google of the discovery at the end of last year. According to EdgeSpot, collecting data about users who open a PDF file can help attackers refine future attacks and exploits.
Googles Chrome’s team has recognised the zero day and has indicated that it will come up with a solution before the end of April 2019. EdgeSpot recommends that users temporarily use a desktop app to view PDF files or disconnect from the Internet when opening PDF documents in Chrome.
We have decided to release our finding prior to the patch because we think it is better to give affected users a chance to be aware of the potential risk. The exploit is now being used actively in the wild, while it still takes some time for the patch to arrive, according to EdgeSpot researchers.
(Non) malignant
Patrick Wardle, a security expert specializing in Mac malware, says to ZDNet that the first batch of PDF files is probably harmless, although they abuse the bug in Chrome. According to Wardle, they were created using ReadNotify’s PDF tracking service, which allows users to track when someone opens a PDF file. The service has been in existence since 2010.
What the researchers have discovered is only a document tagged by ReadNotify, tells Wardle to ZDNet. But then again, Chrome should warn the user.
The second batch of files is not known to be malicious. This could also involve tracking or testing purposes.
Read also: Chrome update should make websites that combine https with http safer.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.