Since patched, but a bad look for Adobe when it can’t even get snoopware right
Adobe’s pushed out a fix for its already-controversial Chrome telemetry extension after Project Zero’s Tavis Ormandy found an egregious bug.
The update that shipped last week pushed the extension to Chrome users.
It was presented as a convenience update that let people print Web pages to PDF, and use Reader instead of Chrome’s built-in PDF support. However, the extension also added telemetry, collecting user-level data (not URLs) and phoning it home to Adobe.

Here’s what Adobe says about the extension’s collection:
What information is collected?

Browser type and version
Adobe product information, such as version
Adobe feature usage, such as menu options or buttons selected

And here’s what Ormandy says about the extension:

I took a quick look at the extension.

There was an easy privileged javascript code execution bug.
— Tavis Ormandy (@taviso) January 18, 2017
Ormandy’s bug report goes on to say “I think CSP might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc.”
Adobe took the report seriously, and says it’s already pushed a fix. ®
Sponsored: Customer Identity and Access Management

Leave a Reply