cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
search
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0
Upvote

Spamming vulnerability with CC login system

GoldenMonkey
New Here ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

Hi there,

 

I'm trying to report an issue with the CC login system which enables someone to spam a users mobile with unsolicited texts as long as they know their email address that is used to login to creative cloud and the user has 2 factor authentication enabled.

 

You can test this yourself if you have 2 factor enabled on your CC account.

 

1. Go to adobe home page (make sure you are not already signed in

2. Click sign in

3. Enter your email address

4. Click 'continue'

5. A notification is displayed saying that an sms has been sent to the users mobile and the code is required to continue

6. Press back in browser

7. Click 'continue' button again

8. Another sms sent

9. Repeat back and contine indefinitely.

 

There is a reason that the password is supposed to be requested before an SMS 2 factor code, and this is it.  Maybe someone from Adobe that understands this process can explain why it is this way round and if they are aware of this issue.

 

tldr: Login page can be used to spam a users mobile phone with sms messages if you know their adobe cc login, and they have 2 factor enabled on their account.

 

Many thanks.

 

(btw I had to select random topics as it didn't have anything suitable, my bad)

TOPICS
Cloud storage web assets , Collaboration , File sync , Libraries

Views

254

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
replies 9 Replies 9
latest latest Jump to latest reply
Nancy OShea Community Expert
Community Expert ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

Sharing Creative Cloud accounts with other users is a violation of Adobe's terms of service agreement.

I suggest you change your password now for security reasons and to prevent unauthorized access to your account. Log-in below to change your password.

https://account.adobe.com/security

 

Without the correct password, other users cannot access your account.   Two-factor authentication is simply another layer of protection.

 

Nancy O'Shea— Product User, Community Expert & Moderator
Alt-Web Design & Publishing ~ Web : Print : Graphics : Media

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
GoldenMonkey
New Here ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

In Response To Nancy OShea

Not sure i understand what you're suggesting. 

 

I haven't shared anyones details and haven't shard shared my own, my password does not need changing...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Nancy OShea Community Expert
Community Expert ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

In Response To GoldenMonkey

You implied that someone was attempting to access your CC account which triggered unwanted text messages from the 2-step authentication relay.  I'm saying that if that happens, you should definitely change your password.  And it's a good practice to change it regularly.

 

Nancy O'Shea— Product User, Community Expert & Moderator
Alt-Web Design & Publishing ~ Web : Print : Graphics : Media

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
GoldenMonkey
New Here ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

In Response To Nancy OShea

No sorry that's not what i wrote or implied.

 

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Nancy OShea Community Expert
Community Expert ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

In Response To GoldenMonkey

YOU WROTE:

"I'm trying to report an issue with the CC login system which enables someone to spam a users mobile with unsolicited texts..."

 

So someone is spamming you or you're spamming yourself???

 

 

Nancy O'Shea— Product User, Community Expert & Moderator
Alt-Web Design & Publishing ~ Web : Print : Graphics : Media

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
GoldenMonkey
New Here ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

In Response To Nancy OShea

As the subject suggests I am reporting a security issue which allows a bad actor to spam someone's personal mobile with sms from adobe simply by knowing their email address associated with adobe cc.

 

The solution to that is to request the password BEFORE the sms verification code. Then the problem goes away. 

 

This post wasn't specifically for you but someone in adobe with knowledge of security matters. So I also emailed their security email.

 

That's all I have to say on the matter as my original post says everything. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Nancy OShea Community Expert
Community Expert ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

In Response To GoldenMonkey

This is is not Adobe support.  It's a user-to-user forum.  

 

To leave feedback where product engineers will see it, go to Adobe UserVoice. 

https://helpx.adobe.com/x-productkb/global/how-to-user-voice.html

 

That said, how would someone have access to your Adobe ID (email) & password? 

 

Nancy O'Shea— Product User, Community Expert & Moderator
Alt-Web Design & Publishing ~ Web : Print : Graphics : Media

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
GoldenMonkey
New Here ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

In Response To Nancy OShea

So to have the system send the sms you do not need the account password that's my entire point. And the account id is merely my email address which is not private, noone is using a secret email address for their cc account.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Nancy OShea Community Expert
Community Expert ,
Oct 13, 2021 Oct 13, 2021

Copy link to clipboard

Copied

LATEST
In Response To GoldenMonkey

I'm fairly certain you need to provide a password if you're not already logged-in.

Try it. 

 

 

Nancy O'Shea— Product User, Community Expert & Moderator
Alt-Web Design & Publishing ~ Web : Print : Graphics : Media

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Getting Started
What are Creative Cloud services?
What are Creative Cloud Libraries?
What are Cloud Documents?
Creative Cloud mobile app collection
Quick Start for Adobe Stock
Storage and services common questions
Services
Adobe Express
Showcase your work > Adobe Portfolio
Showcase your work > Behance
Adobe Fonts
Manage assets with Creative Cloud Libraries
Your Files
Collaboration & Sharing
Cloud Storage
Collaborate on CC Libraries or folders
Share a file or folder
Collaboration FAQ
Sync files in your Creative Cloud Files folder
Copyright © 2023 Adobe. All rights reserved.
Using the Community Experience League Terms of Use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices