Skip to main content

Evernote security flaw could have exposed data of millions of users

Image credit: Google (Image credit: Image credit: Google)
Audio player loading…

Security researchers have discovered a critical flaw in the Evernote Web Clipper Chrome extension which could allow potential attackers to access a users' personal information from third party services online.

The vulnerability, a Universal Cross-site Scripting (UXSS) referred to as CVE-2019-12592, was discovered by the security company Guardio as part of its ongoing security analysis efforts using a combination of its own internal technology and researchers.

After the discovery, the firm immediately disclosed the vulnerability to Evernote and the note taking service quickly rolled out a complete fix in less than a week.

However, due to the Evernote's widespread popularity, the issue could have potentially affected the 4.6m consumers and businesses that use its Chrome extension.

Web Clipper extension

Before Evernote fixed the issue, the logical coding error in the Web Clipper extension could have allowed an attacker to bypass Chrome's same origin policy which would have granted them code execution privileges in Iframes on other site's besides Evernote.

Without Chrome's domain-isolation mechanisms, code could be executed that could allow an attacker to perform actions on the user's behalf as well as grant access to sensitive user information on affected third-party web pages and services including authentication, financial details, social media conversations, personal emails and more.

Guardio's CTO Michael Vainshtein explained why browser extensions need to be scrutinized thoroughly, saying:

"The vulnerability we discovered is a testament to the importance of scrutinizing browser extensions with extra care. People need to be aware that even the most trusted extensions can contain a pathway for attackers. All it takes is a single unsafe extension to compromise anything you do or store online. The ripple effect is immediate and intense." 

Via Bleeping Computer

After getting his start at ITProPortal while living in South Korea, Anthony now writes about cybersecurity, web hosting, cloud services, VPNs and software for TechRadar Pro. In addition to writing the news, he also edits and uploads reviews and features and tests numerous VPNs from his home in Houston, Texas. Recently, Anthony has taken a closer look at standing desks, office chairs and all sorts of other work from home essentials. When not working, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.