Image: Google

A security firm said this week that it discovered PDF documents exploiting a what the company called a Google Chrome browser "zero-day." The vulnerability allowed attackers to collect data from users who opened PDF files inside Chrome's built-in PDF viewer.

Exploit detection service EdgeSpot, the company that found the files, says the PDF documents would contact a remote domain with information on the users' device --such as IP address, OS version, Chrome version, and the path of the PDF file on the user's computer.

This phone-home behavior did not take place when researchers opened the same PDF files in desktop PDF viewer apps, such as Adobe Reader and others, but was limited to Chrome only.

The company said it spotted two distinct sets of malicious PDF files exploiting this Chrome bug, with one series of files being circulated circa October 2017, and the second set in September 2018.

The first batch of malicious PDF files sent user data back to the "readnotify.com" domain, while the second sent it to "zuxjk0dftoamimorjl9dfhr44vap3fr7ovgi76w.burpcollaborator.net," researchers said.

There was no additional malicious code in the PDF files that EdgeSpot discovered. However, collecting data on users who open a PDF file can aid attackers in fine-tuning future attacks and exploits.

But in a conversation with ZDNet after the publication of this story, Mac malware security expert Patrick Wardle explained that the first batch of files that EdgeSpot detected weren't meant to be malicious in nature, despite exploiting the Chrome bug. He said they were assembled using ReadNotify's PDF tracking service that lets users track when someone views their PDF files, a service that has been around since 2010.

"What the researchers 'uncovered' is just a document tagged by ReadNotify," Wardle told us, "but yes, Chrome should alert the user."

https://t.co/bH4YY0xPtL



Peeked at PDF & extracted JS 📝



"0day": Chrome doesn't alert when PDF submits data to remote server (can track PDF opens & survey/geolocate user)



How: via app.openDoc API & FDFs.



btw https://t.co/HA3qTcMEF7 has been doing this since (circa) 2010🤐🙈 pic.twitter.com/HUQZJApQGg — patrick wardle (@patrickwardle) February 28, 2019

There is no information available on the second set of PDF files (the ones circulated in September 2018) and their nature --if they were assembled by a threat actor, if they're just tests, or were generated for benign user tracking purposes.

For its part, EdgeSpot said it notified Google over the Christmas holiday, last year, when they first discovered the documents. The Chrome team acknowledged the vulnerability and promised a fix for late April.

"We decided to release our finding prior to the patch because we think it's better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away," researchers said in a blog post yesterday.

The blog post also contains samples and indicators of compromise (IOCs) for the PDF files the company discovered.

Until a patch is out, EdgeSpot is recommending that users either use a desktop app to view PDF files or disable their internet connection while they open PDF documents in Chrome.

In unrelated research, but also connected to the world of PDF documents, earlier this week, security researchers revealed vulnerabilities that allowed them to fake signatures on 21 of 22 desktop PDF viewer apps and 5 out of 7 online PDF digital signing services.

Article updated with Wardle's analysis. Title updated accordingly.



More browser coverage: