Mysterious “f.txt” popups served across publishers’ sites damage user experience and jeopardize the publisher-audience relationship as an innocent error in ad tracking code leaves audiences wary of the security of their devices.
In the last week of June 2022, several publishers reached out to GeoEdge to remedy the f.txt.js phenomenon, in which users browsing their sites faced an f.txt download popup.
The popup left online audiences wary of the security of their devices while also breeding mistrust in the sites they had been browsing because it involved an automated file download request popup. To get to the root of the incident, the GeoEdge security team researched the issue. Here’s what they uncovered.
This file is not malicious, and the automatic download is not a malvertising attack. The issue is a result of a mere misconfiguration in ad code. Users concerned about this mysterious file can relax- there’s nothing to worry about. Nevertheless, we recommend they reach out to the publisher whose site had this pop-up and refer them to this article to learn how to fix the problem.
Read further for a detailed explanation.
What is f.txt?
The issue manifests as a browser dialog box to confirm a file download. The popups have a cross-browser, cross-platform (mobile) impact, having been detected on Safari, Google Chrome, and Mozilla Firefox in the same way.
IOS users see this file download as f.txt.js, while others see it only as an f.txt file.
This issue is not new nor uncommon. In 2014, a particular website vulnerability was detected, allowing attackers to run malicious Flash SWF files from a remote domain that tricks browsers into thinking it came from the current website the users are in, bypassing the ‘same-origin’ policy. By doing so, potential attackers could easily collect sensitive users’ data.
Although Adobe, the developer of the Flash player, released multiple fixes for this issue, some sites and players, including Google and others, developed their own fix by forcing the HTTP header “Content-Disposition: attachment; filename=f.txt” on ad-related responses.
This header instructs the browser to treat the request as a file download, preventing potential attackers from running their malicious SWF files from remote domains.
Currently, this header is still sent in DoubleClick domains (ad.doubleclick.net), so ad-serving platforms need to pay attention to the format of DoubleClick trackers they use.
According to Google’s documentation, there are several formats that can be used- each calls a different kind of tracker. The file download users complain about today is a result of some major ad-serving platforms utilizing these trackers incorrectly in iframes, where instead of using the format:
<IFRAME SRC=”https://ad.doubleclick.net/ddm/trackimpi/…”> (ending in i)
They use the wrong URL to call an HTML tracker to run in the Iframe.
<IFRAME SRC=”https://ad.doubleclick.net/ddm/trackimpj/…”> (ending in j)
How to remedy f.txt. Popups?
Online web forums and Reddit threads indicate much confusion about whether the popup is an innocent bug or dangerous malware. Some Antivirus companies even tried to leverage the opportunity to promote their products; however, this is not a malicious problem that can be addressed by antivirus software.
GeoEdge’s security research revealed that the f.text.js and f.text incidents are not malicious popups. Instead, they result from a setup issue that digital publishers and ad networks can fix.
After identifying the nature of the problem, GeoEdge’s Security team has taken action on two levels.
- We’ve set our system to detect and block ads with wrong utilization. GeoEdge’s publisher partners can rest assured their readers will not complain about the mysterious file downloaded to their devices.
- We Informed the relevant ad-serving platforms of the incorrect utilization to resolve the problem.
Although it is not a security issue, this f.txt popup is undoubtedly a nuisance that tarnishes user experience and causes significant worry to both users and publishers. GeoEdge’s actions will end the problem immediately for publishers protected by the GeoEdge system, and later on- for the entire industy as the relvent platforms will fix the missconfiguration on their end.