Critical Flaw Reported in Popular Evernote Extension for Chrome Users

Haythem Elmir
0 1
Read Time1 Minute, 43 Second

Cybersecurity researchers discover a critical flaw in the popular Evernote Chrome extension that could have allowed hackers to hijack your browser and steal sensitive information from any website you accessed.

Evernote is a popular service that helps people taking notes and organize their to-do task lists, and over 4,610,000 users have been using its Evernote Web Clipper Extension for Chrome browser.

Discovered by Guardio, the vulnerability (CVE-2019-12592) resided in the ways Evernote Web Clipper extension interacts with websites, iframes and inject scripts, eventually breaking the browser’s same-origin policy (SOP) and domain-isolation mechanisms.

According to researchers, the vulnerability could allow an attacker-controlled website to execute arbitrary code on the browser in the context of other domains on behalf of users, leading to a Universal Cross-site Scripting (UXSS or Universal XSS) issue.

As shown in the video demonstration, the researchers also developed a Proof-of-Concept (PoC) exploit that can inject a customized payload on targeted websites, and steal cookies, credentials, and other private information from an unsuspecting user.

No doubt extensions add a lot of useful features to your web browser, but at the same time, the idea of trusting 3rd-party code is much more dangerous than most people realize.

Since extensions run in your web browser, they often require the ability to make network requests, access and change the content of web pages you visit, which poses a massive threat to your privacy and security, doesn’t matter if you have installed it from the official Firefox or Chrome stores.

Guardio team responsibly reported this issue to Evernote late last month, who then released an updated, patched version of its Evernote Web Clipper extension for Chrome users.

Since Chrome Browser periodically, usually after every 5 hours, checks for new versions of installed extensions and updates them without requiring user intervention, you need to make sure your browser is running the latest Evernote version 7.11.1 or later.

Source: https://thehackernews.com/2019/06/evernote-extension-hacking.html

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

Important Flaw in Outlook App for Android Affects Over 100 Millions Users

Microsoft today released an updated version of its « Outlook for Android » that patches an important security vulnerability in the popular email app that is currently being used over 100 million users. According to an advisory, Outlook app with versions before 3.0.88 for Android contains a stored cross-site scripting vulnerability (CVE-2019-1105) in […]