Evernote security flaw could have exposed data of millions of users


X Scalper

Security researchers have discovered a critical flaw in the Evernote Web Clipper Chrome extension which could allow potential attackers to access a users’ personal information from third party services online.

The vulnerability, a Universal Cross-site Scripting (UXSS) referred to as CVE-2019-12592, was discovered by the security company Guardio as part of its ongoing security analysis efforts using a combination of its own internal technology and researchers.

After the discovery, the firm immediately disclosed the vulnerability to Evernote and the note taking service quickly rolled out a complete fix in less than a week.

However, due to the Evernote’s widespread popularity, the issue could have potentially affected the 4.6m consumers and businesses that use its Chrome extension.

Web Clipper extension

Before Evernote fixed the issue, the logical coding error in the Web Clipper extension could have allowed an attacker to bypass Chrome’s same origin policy which would have granted them code execution privileges in Iframes on other site’s besides Evernote.

Without Chrome’s domain-isolation mechanisms, code could be executed that could allow an attacker to perform actions on the user’s behalf as well as grant access to sensitive user information on affected third-party web pages and services including authentication, financial details, social media conversations, personal emails and more.

Guardio’s CTO Michael Vainshtein explained why browser extensions need to be scrutinized thoroughly, saying:

“The vulnerability we discovered is a testament to the importance of scrutinizing browser extensions with extra care. People need to be aware that even the most trusted extensions can contain a pathway for attackers. All it takes is a single unsafe extension to compromise anything you do or store online. The ripple effect is immediate and intense.” 

Via Bleeping Computer




Be the first to comment

Leave a Reply

Your email address will not be published.


*