Adobe spies on readers: 'EVERY page you turn, EVERY book you own' leaked back to base

App sends data over the net unencrypted


Updated Adobe's Digital Editions 4 ebook reader software collects detailed information about the reading habits of its users – and sends it back to the company in a format that's easy for others to slurp.

An investigation by Nate Hoffelder of The Digital Reader blog showed that ADE 4 was collecting telemetry on which pages of ebooks were being read, and in which order. This included the title, publisher, and other metadata, which was then sent to the company's mothership – a server called adelogs, no less – in plain text over the internet.

Benjamin Daniel Mussler, the researcher who spotted security flaws in Amazon's Kindle software, told The Register he had confirmed the data slurping was going on by setting up a dummy system using the software and monitoring traffic as a book was read.

"I started a fresh Windows system and installed Wireshark to capture any traffic and ADE 4. I then navigated through the Getting Started... ebook that comes with ADE 4. For example, I flipped to page 7, then 8, 7 again, 8, 7, 8. During the next launch, ADE sent this data unencrypted to http://adelogs.adobe.com/datacollector/receiver?id=com.adobe.rmsdk.nocert.dewin," he said.

More worryingly, Hoffelder claimed ADE 4 wasn't just collecting this data for its own ebooks, but was also scanning the host computer for all ebooks and sending back information on those as well.

Here at The Register we've conducted our own tests on the software and had similar results – information about ebooks opened on the computer were noted and later sent back to Adobe corporate servers in unencrypted form. The data is sent over plaintext HTTP to the IP address 192.150.16.235, which belongs to Adobe Systems in California.

What was sent over the wire ... Adobe leaking data about Alice's Adventures in Wonderland – we couldn't get hold of Nineteen Eighty Four quickly enough

 

Creepy ... exactly when you turned each page is also blabbed over the web

From our quick look at the exchanged packets, Digital Editions 4 sends a HTTP POST request to...

http://adelogs.adobe.com/ping?id=com.adobe.rmsdk.nocert.dewin

...or...

http://adelogs.adobe.com/ping?id=com.adobe.rmsdk.nocert.demac

...depending on your operating system – Windows or OS X. The client then sends over a hash value, and starts pumping information about the user's books and pages read, in real time, to Adobe's server. You can watch a video of the transfers in action, here, recorded by Andromeda Yelton.

Since Adobe doesn't actually sell ebooks, this makes the slurping of the data very strange indeed. It's also a possible breach of the software's terms and conditions, which state:

"We will not access, view, or listen to any of your content, except as reasonably necessary to perform the Services. Actions reasonably necessary to perform the Services may include (but are not limited to) (a) responding to support requests; (b) detecting, preventing, or otherwise addressing fraud, security, unlawful, or technical issues; and (c) enforcing these terms."

We've asked Adobe for an explanation of what exactly is going on and the firm has said that it's looking into the matter. With a lot of staff currently attending the AdobeMAX conference in Los Angeles this may take some time. ®

Updated to add

Adobe says it simply has to log every page you turn to tackle piracy.

Similar topics


Other stories you might like

  • Adobe lowers 2022 forecast, blames Ukraine war, strong dollar
    Extended 'summer season' also at fault, says software slinger as share price slides

    Creative software slinger Adobe booked in double-digit revenues rises in its latest quarter but lowered forecasts due to conflict in Ukraine and and currency challenges. As such, Wall Street frowned and the share price went down.

    The Photoshop maker reported turnover from sales of $4.39 billion for Q2 ended June 3, up 14 percent year-on-year. The vast bulk of this, some $4.07 billion, was subscription-based, something other software vendors must eye with some envy because investors love recurring revenues.

    The Digital Media division, which includes Creative Cloud and Document Cloud products, jumped 15 percent to $3.20 billion, higher than analysts had estimated. The Digital Experience wing was $1.1bn, up 17 per cent, again trumping analysts' projections of $1.08 billion.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Adobe apologizes for repeated outages of its Creative Cloud video collaboration service
    Frame.io admits it was 'slow to scale as demand rose

    Adobe-owned cloudy video workflow outfit Frame.io has apologized and promised to do better after a series of lengthy outages to its service, which became part of Adobe's flagship Creative Cloud in 2021.

    Frame.io bills itself as "The fastest, easiest, and most secure way to automatically get footage from cameras to collaborators – anywhere in the world" because its "Camera to Cloud" approach "eliminates the delay between production and post" by uploading audio and video "from the set to Frame.io between each take." In theory, that means all the creatives involved in filmed projects don't have to wait before getting to work.

    In theory. Customers say that's not the current Frame.io experience. Downdetector's listing for the site records plenty of complaints about outages and tweets like the one below are not hard to find.

    Continue reading

Biting the hand that feeds IT © 1998–2022