Trojan found in an HTML page stored in zotero. How to limit the contagion in group libraries?

Hi there,

Today my Endpoint Protection found a malware, and it turned to be a Trojan in a HTML file in Zotero storage.

FYI the malware attacked a docx I was editing (I have the citation plug-in) and starting erasing text as if my delete key from my keyboard was stuck. I managed to force close MS word (2010 version i think). Not sure if that's relevant but I'm 80% sure that this particular reference was not cited in the document.

Anyway, the local html file was instantaneously quarantined by my antivirus. But I'm not sure if my libraries synchronise after that. Within the next hour, the computer was disconnected from internet and is now being tested bby my IT department. (don't have it anymore).

The thing is, I only know the local storage path of the file on my C drive, but can't know in which library it was (maybe still is on the cloud?). I have many group libraries shared with different people.

So what do I do know?
I tried to search for the file on the online interface but I think it looks only in my personal library and it couldn't find anything.

Four questions:
1- Is there a way that I can search for the file in all my groups?
2- Since it's an HTML file related to a web page reference, do the search engine even work? (maybe or searches only in the ref metadata)
3- Does zotero cloud automatically removes threats like that? Do we get notified if anything happens?
4- can zotero "security team" (if that exists) scan my libraries in case the Trojan is hiding somewhere else?

I'd like to avoid that my collaborators synchronise it on their local machine too.

Thanks for your help
  • edited February 6, 2020
    This doesn't really have much to do with Zotero, and it doesn't point to a Zotero security issue — it's just some code in a webpage snapshot from a webpage you saved to Zotero. You had to be viewing the affected page to begin with, and you'd get the same thing on disk if you did a "Save Page As" from your browser.

    It's actually pretty unlikely that a problem in an HTML file would affect the rest of your computer, unless you actually downloaded a file and launched it. Barring a browser security bug, malware in HTML pages is generally limited to things like cryptocurrency mining while you're actively viewing a page — it doesn't affect the rest of your system. It's entirely possible the thing you found in Zotero storage is unrelated to the malware that was affecting Word.

    In any case, you can paste the 8-character folder name from 'storage' into the Zotero search bar in All Fields & Tags mode in the library root to find the attachment item in question, delete it, and empty the trash, and then sync. The item will then be deleted from all synced computers.
  • Hi dstilman,
    I know this is not a Zotero security issue per se, it's just inherent to how Zotero works with synchronization of files. I'm not attacking Zotero itself, it's a great tool and I mean to keep using it.

    I don't know how the Trojan ended up in this html, I just know that's what my anti-virus found instantaneously during the malware attack. But if you think this is unlikely, well ok. Then my anti-virus is wrong.

    Finally, I know how to find an attachment on my local machine. I opened the folder right after the attack and the file had disappeared locally because, as I said, it was quarantined. But my computer was disconnected from internet at that point because I get internet through my work network, and that's the policy when you get such warning, you unplug the cable to avoid any potential spread to the whole network.

    So the deletion was not synced to the cloud.

    My question is: how can I find this attachment in the cloud since I don't know in which library it is on my account.
    My IT department will potentially wipe my machine, hence no hope for syncing the deletion to the cloud in the near future.
    The search engine on the online interface does not allow to go to the root of all libraries as far as I could see.

  • edited February 6, 2020
    Even in Zotero itself, you would need to check the root of each library, so that part isn't different online, but you can't search for attachments by folder name (a.k.a. item key) online.

    If you email the 8-character folder name to with a link to this thread, we should be able to tell you what library of yours it's in, so that you can delete the item online.
    I don't know how the Trojan ended up in this html, I just know that's what my anti-virus found instantaneously during the malware attack. But if you think this is unlikely, well ok. Then my anti-virus is wrong.
    Just to clarify, I'm not suggesting that the anti-virus is wrong about there being something in the HTML. That can easily happen if a website you save from is hacked and serving some bad code. There just aren't a lot of mechanisms for that to affect anything outside of your browser. I'd be curious to know what exactly it said it found.
  • OK thanks, I wrote to

    Good to know that the search engine in the desktop app "works" with the 8-character folder name (provided that you're searching from the root of the correct library).
  • I sent a link to the group item via email.
  • Found it and deleted it. Thanks!
Sign In or Register to comment.