Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Adobe Updates Digital Editions Following Privacy Controversy

In response to accusations that it’s spying on users of the e-book reader application Adobe Digital Editions, Adobe Systems has released a new version of the software that addresses some of the reported issues.

In response to accusations that it’s spying on users of the e-book reader application Adobe Digital Editions, Adobe Systems has released a new version of the software that addresses some of the reported issues.

Earlier this month, reports surfaced about Adobe collecting information from Digital Editions 4.0 users, including the books they read and the ones stored in their library. Researchers also noticed that all the data was sent back to Adobe’s servers without being encrypted.

“Adobe Digital Editions allows users to view and manage eBooks and other digital publications across their preferred reading devices—whether they purchase or borrow them. All information collected from the user is collected solely for purposes such as license validation and to facilitate the implementation of different licensing models by publishers,” Adobe said at the time.

“Additionally, this information is solely collected for the eBook currently being read by the user and not for any other eBook in the user’s library or read/available in any other reader. User privacy is very important to Adobe, and all data collection in Adobe Digital Editions is in line with the end user license agreement and the Adobe Privacy Policy,” the company explained.

At the time, Adobe promised to address the issue of information transmission in clear text. On Thursday, the company released Digital Editions 4.0.1, in which the data collected from users is transmitted securely over HTTPS.

“It is important to point out that while it is correct that prior to the update, certain usage data was transmitted in clear text, Adobe did not transmit or store the actual user ID or device ID in clear text. Even prior to the update, both the user ID and device ID were obfuscated by assigning unique values (“GUIDs”), which were collected and stored in place of the user ID and device ID,” Adobe told SecurityWeek.

This security vulnerability has been assigned the CVE identifier CVE-2014-8068. According to a security advisory published by the company on Thursday, Digital Editions 4.0.1 “adds support for secure transmission of rights management and licensing validation information.” Adobe says the issue affects Adobe Digital Editions version 4.0.98786 and earlier for Windows and Mac.

Adobe maintains its position that the data collected by the e-book reader software has been in line with the end user license agreement and the company’s privacy policy. However, the company wants to be more explicit about its practices so it has added a dedicated page to the Adobe Privacy Policy where it details the collection and use of data.

Nate Hoffelder of The Digital Reader, the one who first broke the story, and others have confirmed that data is now sent over SSL. Galen Charlton of Meta Interchange has tested Digital Editions 4.0.1 and confirmed that no information is sent to Adobe on e-books that don’t have digital rights management (DRM) associated with them.

On the other hand, many experts and users say there still are some questions related to Adobe’s data collection practices that remain unanswered.

 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.