Adobe Website XSS and Open Redirect Vulnerabilities

October 12, 2012 Prakhar Prasad 2 minutes
    Adobe Partners Website XSS

    Vulnerable Website:

    Cross-site scripting vulnerabilities were discovered on the above mentioned website, which when exploited by a cyber criminal could lead to cookie stealing or client side exploits which may take full control of a victim’s computer .

    Now one thing I’d like to add here, Adobe’s PSIRT was very dull while handling my issue. They took weeks to reply to my emails.Later on I found that this is not a new thing, Adobe has handled security issues poorly in earlier times.

    UPDATE: Janne Ahlberg also twitted about poor handling of security issues by Adobe, after this article was published.

    Vulnerability Timeline

    • 20th August 2012 - Vulnerability discovered and reported to Adobe PSIRT (
    • 24th August 2012 - Reply from Adobe PSIRT saying that they are investigating this issue
    • 24th August 2012 - I asked further queries I had
    • 3rd September 2012 - Sent another mail, because nobody responded to my last email
    • 14th September 2012- Reply from Adobe PSIRT saying that they are still researching this issue
    • 13th October 2012 - Issue fixed ‘silently’.No notification regarding the fix from Adobe PSIRT
    • 13th October 2012 - Public Disclosure
    Adobe Feeds Website Open Redirect

    Vulnerable Website:

    An open-redirect issue was detected on the above website. The webpage takes a parameter ‘nextPage’ and redirects to it but while redirecting the page doesn’t check whether the value in ‘nextPage’ parameter is white-listed or not, so ends up in an open redirect issue.


    The above link will silently redirect to

    Although this type of vulnerability is not considered critical but it can ‘hurt’ an unsuspecting user when used in an attack like phishing or specifically spear-phishing where the user might be fooled to believe that the link belongs to Adobe Inc.

    Video Demo:

    Vulnerability Timeline

    • 24th September 2012 - Vulnerability discovered and reported to Adobe PSIRT (
    • 13th October 2012 - No response from vendor, public disclosure

    So, this incident marks another big company failed to properly handle security issues.