Chrome bug used in the wild to collect user data via PDF files
-
This post of mine https://forum.vivaldi.net/post/279528 received zero feedback, but because IMO the issue is pretty important, i've now created this dedicated thread on it.
A security firm said this week that it discovered PDF documents exploiting a what the company called a Google Chrome browser "zero-day." The vulnerability allowed attackers to collect data from users who opened PDF files inside Chrome's built-in PDF viewer.
Until a patch is out, EdgeSpot is recommending that users either use a desktop app to view PDF files or disable their internet connection while they open PDF documents in Chromehttps://blog.edgespot.io/2019/02/edgespot-detects-pdf-zero-day-samples.html
Summary
Since late December 2018, EdgeSpot has detected multiple PDF samples in the wild which exploit a Google Chromezero-dayunpatched flaw. The exploited vulnerability allows the sender of the PDF files to track the users and collect some user's information when they use Google Chrome as a local PDF viewer.I do not know if V is immune to this problem, but my uninformed assumption is that if Chrome is vulnerable then probably Chromium is too, ergo probably also V is. That's the basis for my decision once i discovered this problem to disable the V internal pdf reader early this month.
Can a Mod or Soprano pls ask the V Devs to comment & advise?
-
@Steffie In one of the linked blog posts it says the issue is being addressed and a fix should be out late April. So I guess the Vivaldi devs don't have to do anything but up the Chromium version at some point, which happens regularly anyway. Chances to download an affected pdf file in the wild are practically zero, therefore I don't think this is critical, especially because it's "just" tracking. But if you're really concerned about it, my advice would be to use a third party pdf viewer for the next 2 to 3 months.
-
@luetage said in Chrome bug used in the wild to collect user data via PDF files:
linked blog posts it says the issue is being addressed and a fix should be out late April
Yep, saw that.
Vivaldi devs don't have to do anything but up the Chromium version at some point
...which implies that my expectation was correct, ie, V is also vulnerable, ie, the V Devs have not sprinkled some exotic Baltic fairydust onto the V code. Thought i should ask, rather than just keep assuming.
use a third party pdf viewer
...which indeed i am since disabling the V internal reader, but this is relatively a PITA hence my decision to post here to inform others + solicit Dev advice.
-
@raed I also saw a similar article and was about to post but you beat me to it!
-
I think it doesn't matter much, you get tracked everywhere anyhow. If you're really afraid of tracking, you probably shouldn't use Vivaldi. And again, just because they found the vulnerability doesn't mean you are likely to encounter it. Not every pdf file on the web will be affected β I believe common sense is enough: don't download stuff from shady websites, be it pdfs, videos, gifs, texts, whateverβ¦
Personally I will continue using the internal pdf viewer with joy ^^
-
@raed said in Chrome bug used in the wild to collect user data via PDF files:
best to disable the internal PDF reader until this issue is addressed (settings->webpages->plugins)
Hence my OP stating
That's the basis for my decision once i discovered this problem to disable the V internal pdf reader early this month
-
@luetage said in Chrome bug used in the wild to collect user data via PDF files:
I think it doesn't matter much
I think differently [but i never ran Apple ]
you get tracked everywhere anyhow
Perhaps, but that's no reason to just give up & empower the scoundrels. They shan't take me without a struggle, hence the suite of precautions i deploy [including a spare tinfoil beret for when t'other one's in the wash].
really afraid of tracking
No, rather, tis "really resentful of tracking"
doesn't mean you are likely to encounter it
Statistically i'm unlikely to be involved in a serious car accident, but i still wear my seatbelt.
Personally I will continue using the internal pdf viewer with joy
Personally i still wish that
a Mod or Soprano pls ask the V Devs to comment & advise?
-
Yay, it is fixed. From one of the original links, this update:
https://blog.edgespot.io/2019/02/edgespot-detects-pdf-zero-day-samples.html
[Update on April 24]
We have confirmed that Google Chrome update 74.0.3729.108 has fixed the issue, please update your Chrome if you have concern about the issue.My current V-SS = Vivaldi 2.5.1525.4 / Chrome 74.0.3729.113.
However, current Stable = Vivaldi 2.4.1488.38 / Chrome 73.0.3683.105, so the issue remains active there for now.
-