nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Adobe's naughty Chrome telemetry code had XSS problem

Since patched, but a bad look for Adobe when it can't even get snoopware right

By Richard Chirgwin, 19 Jan 2017

Adobe's pushed out a fix for its already-controversial Chrome telemetry extension after Project Zero's Tavis Ormandy found an egregious bug.

The update that shipped last week pushed the extension to Chrome users. It was presented as a convenience update that let people print Web pages to PDF, and use Reader instead of Chrome's built-in PDF support. However, the extension also added telemetry, collecting user-level data (not URLs) and phoning it home to Adobe.

Here's what Adobe says about the extension's collection:

What information is collected?
  • Browser type and version
  • Adobe product information, such as version
  • Adobe feature usage, such as menu options or buttons selected

And here's what Ormandy says about the extension:

Ormandy's bug report goes on to say "I think CSP might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc."

Adobe took the report seriously, and says it's already pushed a fix. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing