Data-tracking Chrome flaw triggered by viewing PDFs

Researchers have spotted an unusual ‘trackware’ attack triggered by viewing a PDF inside the Chrome browser.

Security company EdgeSpot said it noticed suspicious PDFs, which seem to have been circulating since 2017, sending HTTP POST traffic to the tracking site

The behaviour only happened when a user viewed a PDF using desktop Google Chrome – when opened in Adobe Reader the PDF’s behaviour returned to normal.

Data sent included the user’s IP address, the Chrome and OS versions, and the full path of the PDF on their computer.

While not the most fearsome-sounding exploit going, the design is similar to an attack discovered last April (CVE-2018-4993) designed to steal NT Lan Manager (NTLM v2) hashes via the Adobe and Foxit readers.

A second variant of this attack was later discovered by EdgeSpot in November, identified and patched as CVE-2018-15979.

Why would someone be interested in relatively innocuous data?

I’m speculating here, but one possibility might be to test the feasibility of using PDFs in this way in advance of a more significant campaign.

If so, it wasn’t a bad strategy for crawling under the radar in a way that would be harder to pull off when trying the same technique against Adobe Reader. Wrote EdgeSpot:

We decided to release our finding prior to the patch because we think it’s better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away.

What to do

Until the issue is patched, EdgeSpot’s recommendation is to view PDFs in an application other than Chrome, or even disconnect a computer from the internet when opening PDFs (Chrome on Android isn’t affected as opening PDFs on mobile devices is done through a separate app).

A possible alternative is to change Chrome’s default option of rendering PDFs in the browser so that instead they download for viewing in a separate application such as Adobe Reader. This is done via Settings > Advanced > Content Settings > PDF documents, ticking the option Download PDF files instead of automatically opening them in Chrome.

Note that if you’re running Reader DC on Windows, it might also have installed a separate Chrome extension for opening PDFs. This doesn’t override Chrome’s PDF download/display settings so can be left enabled.

According to EdgeSpot, Google will fix the vulnerability in “late April”, presumably a reference to Chrome 74 due on the 23 April (30 April on Chromebook).