Evernote security flaw could have exposed data of millions of users

Image credit: Google (Image credit: Image credit: Google)

Security researchers have discovered a critical flaw in the Evernote Web Clipper Chrome extension which could allow potential attackers to access a users' personal information from third party services online.

The vulnerability, a Universal Cross-site Scripting (UXSS) referred to as CVE-2019-12592, was discovered by the security company Guardio as part of its ongoing security analysis efforts using a combination of its own internal technology and researchers.

After the discovery, the firm immediately disclosed the vulnerability to Evernote and the note taking service quickly rolled out a complete fix in less than a week.

However, due to the Evernote's widespread popularity, the issue could have potentially affected the 4.6m consumers and businesses that use its Chrome extension.

Web Clipper extension

Before Evernote fixed the issue, the logical coding error in the Web Clipper extension could have allowed an attacker to bypass Chrome's same origin policy which would have granted them code execution privileges in Iframes on other site's besides Evernote.

Without Chrome's domain-isolation mechanisms, code could be executed that could allow an attacker to perform actions on the user's behalf as well as grant access to sensitive user information on affected third-party web pages and services including authentication, financial details, social media conversations, personal emails and more.

Guardio's CTO Michael Vainshtein explained why browser extensions need to be scrutinized thoroughly, saying:

"The vulnerability we discovered is a testament to the importance of scrutinizing browser extensions with extra care. People need to be aware that even the most trusted extensions can contain a pathway for attackers. All it takes is a single unsafe extension to compromise anything you do or store online. The ripple effect is immediate and intense." 

Via Bleeping Computer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.