Blog | G5 Cyber Security

PDF Tracking Images: How They Work

G5 Cyber Security

TL;DR

Yes, PDFs can embed tracking images (often 1×1 pixel ‘web beacons’). When a PDF is opened and the image loads, it sends a request to a server, revealing information about who opened it and when. This guide explains how this works and what you can do about it.

How PDF Tracking Works

  1. The Setup: A tracking image (usually a very small GIF or PNG) is added to the PDF document during creation.
  2. Image URL: This image isn’t hosted on your computer; it lives on a web server controlled by whoever wants to track you. The image’s source URL contains information that identifies the recipient, often encoded in the filename or as part of the query string. For example: 
    https://tracking.example.com/beacon.gif?id=user123&pdfname=report.pdf
  3. PDF Opening: When you open the PDF, your PDF viewer (Adobe Reader, Preview, etc.) tries to download and display all images within it.
  4. Request Sent: This triggers a request to the tracking server at the URL specified in the image tag.
  5. Data Collection: The server logs details about the request – your IP address, timestamp, browser information (from PDF viewer headers), and any other identifiers passed in the URL.

Checking for Tracking Images

  1. Examine Image Properties: Open the PDF in Adobe Acrobat Pro (not Reader). Go to ‘Tools’ > ‘Print Production’ > ‘Preflight’. Create a custom fixup and search for images.
  2. Inspect Embedded Files: In Acrobat Pro, go to ‘File’ > ‘Properties’ > ‘Custom Tab’. Look at the embedded files list. Suspiciously named image files (e.g., ‘beacon.gif’, ‘tracking.png’) are a red flag.
  3. Network Monitoring: Use a network monitoring tool like Wireshark or Fiddler to see if any requests are sent to external servers when you open the PDF. This is more technical but provides definitive proof.

Preventing Tracking

  1. Disable Automatic Image Loading: Most PDF viewers allow you to disable automatic image loading. In Adobe Reader:
    • Go to ‘Edit’ > ‘Preferences’.
    • Select ‘Security (Enhanced)’.
    • Uncheck ‘Enable JavaScript’ (important, as JavaScript can also be used for tracking).
    • Under ‘Image Handling’, select ‘Never download images’.
  2. Use a Privacy-Focused PDF Viewer: Some viewers are designed with privacy in mind and block tracking by default.
  3. Sandbox the PDF: Open the PDF within a virtual machine or sandbox environment to isolate it from your main system.
  4. Remove Embedded Images (Advanced): In Acrobat Pro, you can delete embedded images before opening the PDF. Be careful, as this might affect the document’s appearance if legitimate images are removed. 
    (In Acrobat Pro: Tools > Edit PDF > Remove Image)
  5. Be Wary of Unknown Sources: The best defense is to only open PDFs from trusted sources.

cyber security Considerations

PDF tracking is a relatively simple form of data collection, but it can be used for phishing attacks or to build profiles on individuals without their consent. Always exercise caution when dealing with unsolicited PDFs.

Exit mobile version