Buzz
According to the security firm, due to the widespread use of Evernote, this vulnerability could impact millions of users and businesses utilizing the extension. Currently, there are approximately 4.6 million users using the extension.
Universal Cross-site Scripting Vulnerability
Security vulnerability known as Universal Cross-site Scripting (UXSS) (also referred to as Universal XSS), identified as CVE-2019-12592, originates from flawed logic encryption in Evernote Web Clipper, allowing it to 'bypass browser's initial policies, granting remote code execution privileges within Iframes outside Evernote's domain.'
Following a security flaw in Chrome's web page isolation feature, user data from accounts on websites is no longer protected, enabling malicious actors to access user's sensitive information including bank card details, private social media conversations, personal emails, etc., from third-party websites.
Attackers accomplish this by redirecting targets to websites under their control, then loading hidden iframes with targeted third-party websites and triggering exploits designed to force Evernote to inject payloads into all loaded iframes, allowing them to 'steal cookies, personal information, login credentials, Evernote registrations, perform user-like actions, etc.'
Guardio also provides Proof-of-Concept (PoC) for the vulnerability CVE-2019-12592, illustrating how the flaw in Evernote Web Clipper extension enables attackers to access social networks and user's credit card information, bank details, private conversations, shopping data, authentication data, and user emails.
Fix for UXSS vulnerability in Evernote Web Clipper has been released
Evernote has issued a patch for the vulnerability immediately upon receiving Guardio's report. The comprehensive patch was released on June 4th.
Users are advised to install the Web Clipper extension patch as soon as possible. Visit the chrome://extensions/?id=pioclpoplcdbaefihamjohnefbikjilc page and check if you have installed version 7.11.1 or not.
Security researcher Michael Vainshtein, Guardio's CTO, stated that the vulnerability discovered by the company serves as a crucial reminder for users to carefully consider and scrutinize browser extensions. Even the most reputable extensions can contain vulnerabilities, providing opportunities for attackers.
In 2017, Evernote altered its privacy policy, allowing company employees to access unencrypted customer note contents, however, this policy faced strong backlash from users.
Recently, specifically in mid-April, the company patched a Path Traversal vulnerability, enabling attackers to execute applications, files stored locally on target Mac machines.
Don't forget to visit Mytour to stay updated on the latest tech news. Recently, iOS users have been able to use an Android phone as a security key for iOS applications, which is a notable mobile highlight from the past day.
