Home Articles How Evernote Chrome Extension Vulnerability Compromised 4.6 Million Users

How Evernote Chrome Extension Vulnerability Compromised 4.6 Million Users


Recently, a major vulnerability in Evernote’s Web Clipper left user data of millions vulnerable. Read on to know the latest Evernote vulnerability…

Last month, researchers from Guardio discovered a rather serious security flaw with the Web Clipper Chrome extension. It was a universal cross-site scripting vulnerability, which, as a proof-of-concept exploit demonstrates, could have been used to steal anything from Facebook account information to PayPal transaction data.

The Evernote security vulnerability existed in the Chrome extension of Evernote Web Clipper.

Modus Operandi
A critical flaw in Evernote’s Web Clipper extension had exposed user data of millions of Evernote users. As Guardio notes, most vulnerable extensions have a fairly limited reach and only affect data that is handled by the addon’s vendor. The flaw in the Web Clipper extension, however, enabled the theft of all sorts of information that’s not related to Evernote in any way.

All the hackers needed to do was lure the victim to a malicious website and hide some code in an iframe. An error in the sanitization mechanisms meant that the extension could be forced to execute the code and let the criminals in.

At the time of its discovery, the affected Chrome extension has over 4.6 million users, according to statistics on the Chrome Web Store, theoretically putting a large number of users at risk.

The Vulnerability
Designated as CVE-2019-12592, the security flaw left sensitive information of several million Evernote users vulnerable. The exploit developed by the researchers showed that malicious websites can be loaded with harmful payloads which compromise information through Evernote’s internal infrastructure.

The security flaw, which is a Universal Cross-site Scripting (UXSS) vulnerability, could permit attackers to access sensitive user information from malicious third-party websites. Security firm Guardio came across this flaw in the extension last month. Additionally, a proof-of-concept (PoC) devised by the company showed that Web Clipper could be exloited to gain sensitive information such as financial transaction history, private shopping lists, and more.

Guardio emphasizes that the UXSS flaw could be exploited in numerous ways after payload injection. “From here on out, a large number of implementations are possible – the ones provided to Evernote as part of Guardio’s PoC are only a small handful compared to what is within the realm of possibilities of malicious actors,” read the firm’s blog.

Damage Control
On May 27, Guardio got in touch with the security team of Evernote and privately disclosed the security issue.

Upon notifying the security team of Evernote, within 24 hours, Evernote acknowledged the problem and started work on fixing it. The next day, credit to Guardio’s researchers was put on Evernote’s Security Hall of Fame, and two days later, on May 31, a new version of the Web Clipper Chrome extension was officially released. Guardio’s experts have confirmed that the update fixes the vulnerability which means that if you use Web Clipper on your Chrome browser, you must make sure that its version is 7.11.1 or newer.


Please enter your comment!
Please enter your name here

74 + = 78