This article is more than 1 year old
Adobe's naughty Chrome telemetry code had XSS problem
Since patched, but a bad look for Adobe when it can't even get snoopware right
Adobe's pushed out a fix for its already-controversial Chrome telemetry extension after Project Zero's Tavis Ormandy found an egregious bug.
The update that shipped last week pushed the extension to Chrome users. It was presented as a convenience update that let people print Web pages to PDF, and use Reader instead of Chrome's built-in PDF support. However, the extension also added telemetry, collecting user-level data (not URLs) and phoning it home to Adobe.
Here's what Adobe says about the extension's collection:
- Browser type and version
- Adobe product information, such as version
- Adobe feature usage, such as menu options or buttons selected
And here's what Ormandy says about the extension:
I took a quick look at the extension. There was an easy privileged javascript code execution bug. Sigh. https://t.co/9Ka4y5r43M https://t.co/Wi6OVmYM5q
— Tavis Ormandy (@taviso) January 18, 2017
Ormandy's bug report goes on to say "I think CSP might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc."
Adobe took the report seriously, and says it's already pushed a fix. ®