Google researcher finds leak in automatically installed Adobe extension

Spread the love

Tavis Ormandy, security researcher with Google’s Project Zero team, has found a vulnerability in a Chrome extension from Adobe. Since last week, this is automatically added to the browser when Adobe software is installed.

Ormandy, who regularly finds and reports software leaks, reported the leak to Adobe, and the company recently released a patch. According to the researcher, this is a cross-site scripting vulnerability that makes it possible to execute arbitrary code in the browser or adjust privacy settings in a roundabout way. Direct code execution might be prevented by csp.

The researcher mentions that the extension has now been installed on 30 million devices; he bases this on numbers from the Chrome store. The extension has been installed automatically since last week, for example when installing Adobe Reader. Chrome users on Windows will then see a pop-up asking them to enable or remove the extension. The extension itself has been around for some time and offers users, among other things, the ability to convert web pages to PDF with the paid version of Acrobat.

The extension also collects some user data, in its own words to improve the quality of service. The data collected would not include URLs. Adobe’s decision has been criticized from the security world, as it poses unnecessary risks to users.

The message after installation

You might also like
Exit mobile version