Mysterious “f.txt” popups served across publishers’ sites damage user experience and jeopardize the publisher-audience relationship as an innocent error in ad tracking code leaves audiences wary of the security of their devices.
No one understood what was happening. In the last week of June 2022, several publishers reached out to GeoEdge looking for an explanation for what they thought was a new phenomenon. Visitors to their websites were suddenly getting mysterious download pop-ups in their browser asking for permission to download an “f.txt file”.
When this happened, the user would see a browser dialog box asking to confirm a file download. Although many of the initial complaints came from Mozilla Firefox users, we soon discovered that is actually a cross-platform issue that has been detected on all browsers including Safari, Google Chrome, and Mozilla Firefox. However, IOS users, or users of Apple products, see the file download pop-up as f.txt.js, while others, like Firefox users, see the pop-up only as an f.txt file.
The publishers wanted to know what the browser download files were and were worried that the pop-ups might be a security threat, like a malware attack that was downloaded automatically onto the victim’s computer. They needed additional inputs and information to keep their sites safe and select preferences in their ad campaigns to prevent the problem from occurring. Since there were little to zero answers about these file downloads in standard protocols, the GeoEdge expert team decided to dig deeper to find the elusive answer to the question—what is f.txt?
What is f.txt?
F.txt pop-ups appear due to a misconfiguration of ad trackers in iFrames. Although they are not malicious, they can have a negative impact on the user experience.
Our research found that the f.txt file issue is actually neither new nor uncommon—it’s been plaguing the internet for years in various forms and versions. It can occur on any web browser, including Firefox, Google Chrome, or Safari.
The problem began in 2014, when a particular website vulnerability was detected that allowed attackers to run malicious Flash SWF files from a remote domain. These malware files tricked the internet browser (Firefox, Safari, Google Chrome etc.) into thinking they came from the website the users were currently in, bypassing the ‘same-origin’ policy for users browsing. By doing so, attackers could easily collect sensitive user data from online entries.
Although Adobe, the developer of the Flash player, released multiple fixes for this issue, some sites and players, including Google and others, developed their own fix by forcing the HTTP header “Content-Disposition: attachment; filename=f.txt” on ad-related responses. This header instructs the browser to treat the request as a file download, preventing potential attackers from running their malicious SWF files from remote domains.
Currently, this header is still sent in DoubleClick domains (ad.doubleclick.net), so ad-serving platforms need to pay attention to the format of DoubleClick trackers they use.
According to Google’s documentation, there are several f.txt file formats that can be used and each calls a different kind of tracker. The f.txt file download users complain about today is the result of some major ad-serving platforms utilizing these trackers incorrectly in iFrames, where instead of using the format:
<IFRAME SRC=”https://ad.doubleclick.net/ddm/trackimpi/…”> (ending in i)
They use the wrong URL to call an HTML tracker to run in the Iframe.
<IFRAME SRC=”https://ad.doubleclick.net/ddm/trackimpj/…”> (ending in j)
That returns a JavaScript code, which results in a download of the f.txt file to the user’s computer or device. Although the file is not malicious or harmful, the web browser asks the user to approve the system download. Since users are not expecting this behavior, they are often rightfully concerned when they see the window on their computer and are hesitant to press enter.
Do users need to worry about an f.txt file download virus?
Users concerned about this mysterious file can relax—there’s nothing to worry about. The f.txt file is not malicious, and the automatic file downloaded is not malware or a malvertising attack. The issue is simply a harmless misconfiguration in the ad code. Nevertheless, we recommend that users who experience the problem reach out to the publisher and refer them to this article to learn how to fix the problem.
Do internet publishers need to worry about f.txt files?
As explained above, f.txt is not malware, but rather an innocent error in the ad tracking code. However, it looks threatening, and therefore often leaves audiences wary of the security of their computer or other devices, as well as their site data. This sense of threat often leads them to take action to block pop-ups, select settings, or select web browser preferences that make it more difficult for the publishers to earn ad revenue.
Therefore, it definitely isn’t something that publishers should ignore on their sites or apps. When a mysterious f.txt popup appears on publishers’ websites, it can have a detrimental impact on their user experience and jeopardize the publisher-audience relationship online.
How to remedy f.txt. Popups?
Blocking ads with incorrect utilization is the best way to remedy f.txt messages and prevent a negative user experience.
Online web forums, Google, Safari, and Firefox support forum posts, and Reddit threads asking “what is f.txt” indicate that there is still a lot of confusion about whether the pop-ups are an innocent bug or dangerous malware. They often advise users to do one of the following whenever the issue manifests:
- A browser cache update
- Empty caches
- Delete cached images
- Change Safari preferences and try not to leave Safari open
- Check the applications folder for anything unusual
- Clear history on their web browsers (such as Google Chrome, Firefox, or Safari)
- Update their web browser to the latest stable version
Some antivirus companies have even tried to leverage the opportunity to promote their products. However, f.text pop-ups are not malicious code files, viruses, or other malware that can be addressed by installing antivirus software on your computer or system.
After GeoEdge’s security section research identified the nature of the main problem and confirmed that the f.txt.js and f.txt incidents are not a malicious pop-up, malware, a browser hijacker, or even potentially unwanted programs or software designed to attack a computer, the security team took action on two levels.
- We set our system to detect and block ads with incorrect utilization. GeoEdge’s publisher partners can rest assured their readers will not complain about the mysterious file being downloaded to their devices.
- We informed Google Adsense and other relevant ad-serving platforms of the incorrect utilization and provided troubleshooting information to resolve the problem.
Although it is not a security issue, this f.txt popup is undoubtedly a nuisance that impacts the user experience and causes significant worry to both users and publishers. We’ve taken action that will end the problem immediately for publishers protected by the GeoEdge system, and hopefully will help other websites and the entire industry as the relevant ads and adware platforms fix the misconfiguration on their end.
