According to EdgeSpot, a vulnerability exists in the included PDF reader for Google Chrome. This affects all iterations of Google Chrome, including ChromeOS.
The vulnerability has been labeled as a zero-day flaw and has existed since December 2018 when EdgeSpot began noticing “leaking” PDF data.
Since late last December, some interesting PDF samples were found by our engine. These samples acted as “no problem” when opened in popular Adobe Reader, however, they made suspicious outbound traffic when they’re opened locally on Google Chrome.
The information that is collected and distributed to an unknown recipient:
- The public IP address of the user.
- OS, Chrome version etc (in HTTP POST header).
- The full path of the PDF file on user’s computer (in HTTP POST payload).
EdgeSpot reported the issue to Google in December. Google responded to the flaw in February to say that a fix will be coming in April.
EdgeSpot suggests using a different PDF reader until the patch is available. Adobe Reader (surprisingly) does not contain the flaw.