Adobe Website XSS and Open Redirect Vulnerabilities

Prakhar Prasad

Fri, 12 Oct 2012

Adobe Partners Website XSS

Vulnerable Website:

Cross-site scripting vulnerabilities were discovered on the above mentioned website, which when exploited by a cyber criminal could lead to cookie stealing or client side exploits which may take full control of a victim’s computer .

Now one thing I’d like to add here, Adobe’s PSIRT was very dull while handling my issue. They took weeks to reply to my emails.Later on I found that this is not a new thing, Adobe has handled security issues poorly in earlier times.

UPDATE: Janne Ahlberg also twitted about poor handling of security issues by Adobe, after this article was published.

Vulnerability Timeline

Adobe Feeds Website Open Redirect

Vulnerable Website:

An open-redirect issue was detected on the above website. The webpage takes a parameter ‘nextPage’ and redirects to it but while redirecting the page doesn’t check whether the value in ‘nextPage’ parameter is white-listed or not, so ends up in an open redirect issue.


The above link will silently redirect to

Although this type of vulnerability is not considered critical but it can ‘hurt’ an unsuspecting user when used in an attack like phishing or specifically spear-phishing where the user might be fooled to believe that the link belongs to Adobe Inc.

Video Demo:

Vulnerability Timeline

So, this incident marks another big company failed to properly handle security issues.