Adobe's naughty Chrome telemetry code had XSS problem

Since patched, but a bad look for Adobe when it can't even get snoopware right

Adobe's pushed out a fix for its already-controversial Chrome telemetry extension after Project Zero's Tavis Ormandy found an egregious bug.

The update that shipped last week pushed the extension to Chrome users. It was presented as a convenience update that let people print Web pages to PDF, and use Reader instead of Chrome's built-in PDF support. However, the extension also added telemetry, collecting user-level data (not URLs) and phoning it home to Adobe.

Here's what Adobe says about the extension's collection:

What information is collected?
  • Browser type and version
  • Adobe product information, such as version
  • Adobe feature usage, such as menu options or buttons selected

And here's what Ormandy says about the extension:

Ormandy's bug report goes on to say "I think CSP might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc."

Adobe took the report seriously, and says it's already pushed a fix. ®


Biting the hand that feeds IT © 1998–2017