6/12/2023 0 Comments Evernote extension![]() ![]() ![]() Only the 4.6 million users of the Chrome extension need update (as far as we know, users of the Firefox, Opera, and Edge equivalents are unaffected). To demonstrate the danger, Guardio developed a proof-of-concept to show that it was possible to exploit the vulnerability to steal user data under real-world conditions. Injected payload is customized for each targeted website, able to steal cookies, credentials, private information, perform actions as the user and more. The attack would then load iFrame tags targeting specific services, hijacking Evernote to inject payloads into all iFrames: Identified as CVE-2019-12592, it is a Universal Cross-Site Scripting (UXSS) flaw caused by a “logical coding error” that breaks the browser’s domain isolation protection.įrom the description offered, exploiting it would require several steps, the first of which would be luring the user to a malicious or compromised website. The ripple effect is immediate and intense.Users of Evernote’s Web Clipper extension for Google Chrome should check it has been updated to the latest version after a security company published details of a dangerous security flaw.ĭiscovered by Guardio in May, ‘dangerous’ in this context means that anyone using it in its unpatched state is at risk not only of a compromise of their Evernote account but, potentially, of third-party accounts (email, social media, banking) they have open at the same time. “All it takes is a single unsafe extension to compromise anything you do or store online. People need to be aware that even the most trusted extensions can contain a pathway for attackers,” said Michael Vainshtein, CTO, Guardio. “The vulnerability we discovered is a testament to the importance of scrutinizing browser extensions with extra care. ![]() While app authors strive to provide faster, smoother user experiences, extensions usually have permissions to access a trove of sensitive resources, inadvertently posing a much greater security risk than traditional websites. As the browser’s domain-isolation mechanisms were broken, code could be executed that could allow an attacker to perform actions on behalf of the user as well as grant access to sensitive user information on affected third-party web pages and services, including authentication, financials, private conversations in social media, personal emails, and more.Īccording to its security page, Evernote “periodically assesses its infrastructure and applications for vulnerabilities and remediates those that could impact the security of customer data.”Īs the trend to move to the cloud continues, the browser is becoming the users de-facto OS – replacing where users use their applications and access their data. The logical coding error in the Web Clipper extension could have allowed an attacker to bypass the browser’s same origin policy, granting the attacker code execution privileges in Iframes beyond Evernote’s domain. Guardio disclosed the vulnerabilities to Evernote during the last week of May, which prompted Evernote to address them and roll out a complete fix – within less than a week.ĭue to Evernote’s widespread popularity, this issue had the potential of affecting its consumers and companies who use the extension – about 4,600,000 users at the time of discovery. The vulnerability, a Universal XSS marked CVE-2019-12592, was discovered as part of Guardio’s ongoing security analysis efforts using a combination of internal technology and researchers. Guardio discovered a major flaw in Evernote’s Web Clipper Chrome extension’s code that left it vulnerable, potentially allowing threat actors to access personal information from users’ online services.
0 Comments
Leave a Reply. |