The Adobe company has its headquarters in San José, California, 14 kilometers from Apple Park – and is also closely linked to Apple: Software such as Photoshop, Premiere, Illustrator and InDesign are always released for macOS as well as for Windows. In the past, the high-priced design apps motivated some users to switch to pirated copies, which is why the company has taken increasingly extensive copy protection measures. Now a Reddit user discovered a controversial change: an entry in the macOS hosts file exclusive to a specific URL call. The entry in the /etc/hosts file is difficult for laypeople to find; the folder at the top level of the system partition remains hidden in the Finder and can only be accessed using the keyboard shortcut +. Make (point) visible. The hosts file can only be changed with admin rights. The entry itself consists of three lines, two of which are comments. So effectively it’s a single entry:
## Adobe Creative Cloud WAM Start##
166.117.29.xyz detect-ccd.creativecloud.adobe.com
## Adobe Creative Cloud WAM – End ##
Although modifications to the /etc/hosts file are common in server scenarios, they are rarely found on a user system – the effects can be unpredictable. In the case of malware, however, this scam is widespread because it allows certain URL calls to be specifically redirected to other servers.
An unchanged hosts file from macOS – note the warning.
Browser login verification
Reddit user thenickdude has a theory for the cause: When you visit Adobe’s website, a JavaScript command tries to load a file called “cc.png” from the URL specified in the hosts file. If Creative Cloud was installed on the computer and the entry in the hosts file was also added, the file retrieval works. If the file does not load, JavaScript reports an error to the web server. Some time ago, the JavaScript function addressed ” directly. But after Google’s Chrome browser added a permission request to such connection requests last summer, Adobe apparently decided on this controversial workaround.
“No difference to malware”
The discovery sparked widespread opposition. John Gruber asks rhetorically what would happen if every installed software left an entry in /etc/hosts. He remembers a time when Adobe was a citadel of best developer practices. The Creative Cloud installer is now indistinguishable from malware. The first half of the statement is probably more of an individual opinion, the second half finds general agreement. A sarcastic comment on Reddit notes that a pirated copy now runs more stable, starts faster and interferes less with the system.
