Skip to main content
G
GoldenMonkey
New Participant
October 13, 2021
Question

Spamming vulnerability with CC login system

  • October 13, 2021
  • 1 reply
  • 787 views

Hi there,

 

I'm trying to report an issue with the CC login system which enables someone to spam a users mobile with unsolicited texts as long as they know their email address that is used to login to creative cloud and the user has 2 factor authentication enabled.

 

You can test this yourself if you have 2 factor enabled on your CC account.

 

1. Go to adobe home page (make sure you are not already signed in

2. Click sign in

3. Enter your email address

4. Click 'continue'

5. A notification is displayed saying that an sms has been sent to the users mobile and the code is required to continue

6. Press back in browser

7. Click 'continue' button again

8. Another sms sent

9. Repeat back and contine indefinitely.

 

There is a reason that the password is supposed to be requested before an SMS 2 factor code, and this is it.  Maybe someone from Adobe that understands this process can explain why it is this way round and if they are aware of this issue.

 

tldr: Login page can be used to spam a users mobile phone with sms messages if you know their adobe cc login, and they have 2 factor enabled on their account.

 

Many thanks.

 

(btw I had to select random topics as it didn't have anything suitable, my bad)

This topic has been closed for replies.

1 reply

Nancy OShea
Nancy OShea
Community Expert
October 13, 2021

Sharing Creative Cloud accounts with other users is a violation of Adobe's terms of service agreement.

I suggest you change your password now for security reasons and to prevent unauthorized access to your account. Log-in below to change your password.

https://account.adobe.com/security

 

Without the correct password, other users cannot access your account.   Two-factor authentication is simply another layer of protection.

 

Nancy O'Shea— Product User, Community Expert & Moderator
G
GoldenMonkeyAuthor
New Participant
October 13, 2021

Not sure i understand what you're suggesting. 

 

I haven't shared anyones details and haven't shard shared my own, my password does not need changing...

G
GoldenMonkeyAuthor
New Participant
October 13, 2021

YOU WROTE:

"I'm trying to report an issue with the CC login system which enables someone to spam a users mobile with unsolicited texts..."

 

So someone is spamming you or you're spamming yourself???

 

 


As the subject suggests I am reporting a security issue which allows a bad actor to spam someone's personal mobile with sms from adobe simply by knowing their email address associated with adobe cc.

 

The solution to that is to request the password BEFORE the sms verification code. Then the problem goes away. 

 

This post wasn't specifically for you but someone in adobe with knowledge of security matters. So I also emailed their security email.

 

That's all I have to say on the matter as my original post says everything. 

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices