Does Adobe Have Weak Security?

[Black Hole]

I thought it was strange when I received an email from Adobe calling me "Sandeep" and informing me there was a billing error, that my credit card didn't work, but I thought "meh". After a few more I had a snoop around and decided there was no threat, so it's Adobe's problem not mine. It seems like this "Sandeep" has been able to acquire access to Adobe resources, possibly on a free initial period which has expired, and is now not paying.

A few more and I thought I would put Adobe out of their misery so tried to contact them, but found it difficult to locate an email address. I tried one at random but I doubt it got through.

Today I had another, so this time I decided to sort it once and for all. The Adobe support pages wouldn't engage with me unless I logged in, so I set about taking over the account. It wasn't difficult! The account set-up had not been completed, it didn't require a password and instead went directly to email verification and password set-up.

So how come they were permitting access to resources without having at least validated the email address, and preferably validated the billing as well?

Having logged in, established a chat, and got past the chatbot, I had no problem explaining the account had been set up fraudulently and deleted the account. It strikes me they are used to this!

 

[EEPhil]

My first thought on receiving such an email would have been that it was a scam, sent from an address very similar to an Adobe one trying to obtain your bank or credit card details. I would have binned it. What made you think it was real? As it turned out it must have been otherwise Adobe would have denied all knowledge.

 

[Black Hole]

My first thought on receiving such an email would have been that it was a scam, sent from an address very similar to an Adobe one trying to obtain your bank or credit card details.

Yes.

What made you think it was real?

It clearly came from the actual Adobe domain name and not some dodgy variation.

 

[EEPhil]

The question is. Is it possible to fake a correct address?

 

[Black Hole]

Is it possible to fake a correct address?

Only if the recipient is unquestioning. You could, for example, have a "from" field "adobe.com <joe.blogs@somewhere>" and the email client would present that as "adobe.com", but it's easy to check if you have a mind to.

With regard to injecting an email into the delivery system with fake sender, yes that's obviously possible to inject, but the email system itself checks the validity of the credentials against the supposed source server. Take a look at the full email headers sometime (I think you need a proper desktop email client for that) and you'll see loads of routing information which gets added to the payload as an email transits the Internet.

 

[MikeSh]

Adobe has had a reputation as long as I can remember. Flash has been PNG for years but there are still websites that require it.
I'm completely bemused they still exist (plenty of other (better) pdf readers around, so that's not even an excuse now).

 

[Black Hole]

I'm completely bemused they still exist

It's not the readers that matter, it's PDF authoring! But that's not all they do...

 

[EEPhil]

Adobe has had a reputation as long as I can remember. Flash has been PNG for years but there are still websites that require it.
I'm completely bemused they still exist (plenty of other (better) pdf readers around, so that's not even an excuse now).

A project I was involved in (years ago)  required Flash and Java applets in web pages. They were the design "instructions". Roll on however many years and these web pages will no longer work in modern browsers.* Nobody has come back to me to change it. I doubt anyone could offer me enough beer tokens to revisit it. Wasted on-line learning project. But hey, I was paid well at the time and those savings are coming in useful now.
* Still run in older browsers with the correct plugins. But getting the browser and the plugins to install is a challenge.