A critical flaw that affected Evernote’s web clipper extension for Chrome could have impacted millions of users.
Reports say that the critical flaw in the popular note-taking extension Evernote could have led to the breach of personal data of over 4.6 million users. Hackers could have exploited the vulnerability to steal personal data including emails and financial transactions of users.
Security researchers at Guardio had discovered this vulnerability in the Evernote Web Clipper extension, which is immensely popular and which lets users capture full-page articles, images, emails, selected texts etc.
A blog post by the Guardio research team says, “In May 2019 Guardio’s research team has discovered a critical vulnerability in Evernote Web Clipper for Chrome. A logical coding error made it is possible to break domain-isolation mechanisms and execute code on behalf of the user – granting access to sensitive user information not limited to Evernote’s domain. Financials, social media, personal emails, and more are all natural targets. The Universal XSS vulnerability was marked as CVE-2019-12592.”
The hackers exploiting the vulnerability could get users diverted to a website that’s controlled by them. Eventually, the hackers would be able to breach the users’ private data from affected 3rd-party websites. Guardio researchers have even demonstrated, in the PoC (Proof-of-Concept) access to social media, financial transaction history, private shopping lists etc. The Guardio researchers disclosed the flaw to Evernote on May 27 and following the disclosure, Evernote patched the vulnerability and a fixed version was deployed within a few days. The fix was confirmed on June 4th, 2019.
How the vulnerability gets exploited
In the normal course, a JavaScript is injected into the webpages that use the Evernote extension so as to enable the extension’s various functionalities. But, due to the above-mentioned vulnerability (CVE-2019-12592), logical coding error that has left a function (one that’s used to pass a URL from the site to the extension’s namespace) unsanitized, attackers could inject their own script into the webpages. This gives them access to sensitive user information available on the webpages.
The Guardio blog post says, “The exploit is triggered by the malicious website and causes Evernote’s internal infrastructure to inject an attacker-controlled payload into all iframes contexts…Injected payload is customized for each targeted website, able to steal cookies, credentials, private information, perform actions as the user and more.”
The Guardio researchers have also used a proof of concept video in which they explain how the user is first taken to the hacker-controlled malicious website (via social media, email, compromised blog comments etc) and how the malicious website then silently loads hidden, legitimate iframe tags of targeted websites. These iframe tags would have injected payload that would be customized for each targeted website. Thus, the hackers would be able to steal personal data from the targeted websites.
The solution
Users should go for the latest version of Evernote, which includes the fix for this issue. The latest version can be installed by copying chrome://extensions/?id=pioclpoplcdbaefihamjohnefbikjilc into the address bar. For security reasons it has to be manually copied; it’s to be ensured that the version shows as 7.11.1 or higher.
Users should also make it a point to install browser extensions only from trusted sources.
