Google Chrome forcing download of f txt file

Question

After updating to Chrome 40 0 2214 111  variably when I visit certain Google related sites  like http   youtube com and get presented with an ad before the video   the browser downloads a file named f txt   I do not have any adblock plugins installed    f txt contains a few lines of JavaScript   starting with   if   window mraid   document write   x3cdiv class  GoogleActiveViewClass      id  DfaVisibilityIdentifier 3851468350  x3e    document write   x3ca target x3d x22 blank x22 href x3d x22https   adclick g doubleclick net pcs click xai x3dAKAOjsvDhmmoi2r124JkMyiBGALWfUlTX-zFA1gEdFeZDgdS3JKiEDPl3iIYGtj9Tv2yTJtASqD6S-yqbuNQH5u6fXm4rThyCZ0plv9SXM-UPKJgH4KSS08c97Eim4i45ewgN9OoG3E     In looking up the issue on Google  others have experienced the same  but I have not found any resolution or understanding of why this is happening  I assume it is a content-disposition related bug with some of the JS files loaded on the page  and will clear up in a future patch   Wondering if anybody else had experienced   insight

User · Answer

This can occur on android too not just computers. Was browsing using Kiwi when the site I was on began to endlessly redirect so I cut net access to close it out and noticed my phone had DL'd something f.txt in my downloaded files.

Deleted it and didn't open.

User · Answer

Seems related to https   groups google com forum   msg google-caja-discuss ite6K5c8mqs Ayqw72XJ9G8J   The so-called  Rosetta Flash  vulnerability is that allowing arbitrary yet identifier-like text at the beginning of a JSONP response is sufficient for it to be interpreted as a Flash file executing in that origin  See for more information  http   miki it blog 2014 7 8 abusing-jsonp-with-rosetta-flash   JSONP responses from the proxy servlet now    are prefixed with         which still allows them to execute as JSONP    but removes requester control over the first bytes of the response    have the response header Content-Disposition  attachment

User · Answer

FYI  after reading this thread  I took a look at my installed programs and found that somehow  shortly after upgrading to Windows 10  possibly probably  unrelated   an ASK search app was installed as well as a Chrome extension  Windows was kind enough to remind to check that   Since removing  I have not have the f txt issue

User · Answer

I experienced the same issue  same version of Chrome though it s unrelated to the issue  With the developer console I captured an instance of the request that spawned this  and it is an API call served by ad doubleclick net  Specifically  this resource returns a response with Content-Disposition  attachment  filename  f txt    The URL I happened to capture was https   ad doubleclick net adj N7412 226578 VEVO B8463950 115078190 sz 300x60     Per curl     curl -I  https   ad doubleclick net adj N7412 226578 VEVO B8463950 115078190 sz 300x60 click https   2975c v fwmrm net ad l 1 s b035 amp n 10613 3B40185 3B375600 3B383270 amp t 1424475157058697012 amp f  amp r 40185 amp adid 9201685 amp reid 3674011 amp arid 0 amp auid  amp cn defaultClick amp et c amp  cc  amp tpos  amp sr 0 amp cr  ord 435266097   HTTP 1 1 200 OK P3P  policyref  https   googleads g doubleclick net pagead gcn p3p  xml   CP  CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR  Date  Fri  20 Feb 2015 23 35 38 GMT Pragma  no-cache Expires  Fri  01 Jan 1990 00 00 00 GMT Cache-Control  no-cache  must-revalidate Content-Type  text javascript  charset ISO-8859-1 X-Content-Type-Options  nosniff Content-Disposition  attachment  filename  f txt  Server  cafe X-XSS-Protection  1  mode block Set-Cookie  test cookie CheckForPermission  expires Fri  20-Feb-2015 23 50 38 GMT  path    domain  doubleclick net Alternate-Protocol  443 quic p 0 08 Transfer-Encoding  chunked Accept-Ranges  none Vary  Accept-Encoding

User · Answer

This issue appears to be causing ongoing consternation  so I will attempt to give a clearer answer than the previously posted answers  which only contain partial hints as to what s happening    Some time around the summer of 2014  IT Security Engineer Michele Spagnuolo  apparently employed at Google Zurich  developed a proof-of-concept exploit and supporting tool called Rosetta Flash that demonstrated a way for hackers to run malicious Flash SWF files from a remote domain in a manner which tricks browsers into thinking it came from the same domain the user was currently browsing  This allows bypassing of the  same-origin policy  and can permit hackers a variety of exploits  You can read the details here  https   miki it blog 2014 7 8 abusing-jsonp-with-rosetta-flash    Known affected browsers  Chrome  IE Possibly unaffected browsers  Firefox  Adobe has released at least 5 different fixes over the past year while trying to comprehensively fix this vulnerability  but various major websites also introduced their own fixes earlier on in order to prevent mass vulnerability to their userbases  Among the sites to do so  Google  Youtube  Facebook  Github  and others  One component of the ad-hoc mitigation implemented by these website owners was to force the HTTP Header Content-Disposition  attachment  filename f txt on the returns from JSONP endpoints  This has the annoyance of causing the browser to automatically download a file called f txt that you didn t request mdash but it is far better than your browser automatically running a possibly malicious Flash file  In conclusion  the websites you were visiting when this file spontaneously downloaded are not bad or malicious  but some domain serving content on their pages  usually ads  had content with this exploit inside it  Note that this issue will be random and intermittent in nature because even visiting the same pages consecutively will often produce different ad content  For example  the advertisement domain ad doubleclick net probably serves out hundreds of thousands of different ads and only a small percentage likely contain malicious content  This is why various users online are confused thinking they fixed the issue or somehow affected it by uninstalling this program or running that scan  when in fact it is all unrelated  The f txt download just means you were protected from a recent potential attack with this exploit and you should have no reason to believe you were compromised in any way  The only way I m aware that you could stop this f txt file from being downloaded again in the future would be to block the most common domains that appear to be serving this exploit  I ve put a short list below of some of the ones implicated in various posts  If you wanted to block these domains from touching your computer  you could add them to your firewall or alternatively you could use the HOSTS file technique described in the second section of this link  http   www chromefans org chrome-tutorial how-to-block-a-website-in-google-chrome htm Short list of domains you could block  by no means a comprehensive list   Most of these are highly associated with adware and malware    ad doubleclick net adclick g doubleclick net secure-us imrworldwide com d turn com ad turn com secure insightexpressai com core insightexpressai com

[google-chrome] Google Chrome forcing download of "f.txt" file

Examples related to google-chrome