Evernote takes Prompt Action against the recently surfaced macOS app bug

Recently, there were reports circulating about an Evernote bug that could have easily let a hacker execute a malicious code on a target system. Luckily, it has been fixed now.

Credit should be given to a Dubai based security researcher, Dhiraj Mishra. He reported the vulnerability to Evernote on 17th March. In a blog post, Mishra shared evidence of the bug with media outlets. He demonstrated how the victim only had to click on a link (appearing as a web address). The click would then go on and launch a local app or file without issuing a warning.

Shelby Busen, Evernote’s spokesperson, acknowledged and appreciated the researchers’ contributions and confirmed that the bug had been fixed.

The vulnerability database keeper, MITRE, issued an advisory under CVE-2019-10038.

Now, speaking about the bug, it could allow an attacker to remotely execute malicious code on a target macOS system, provided that it had Evernote installed. Ever since the bug was taken care of, Evernote has started issuing warnings to users, once they click on a file opening link. Many gamers might be familiar with this bug as a similar kind of vulnerability was also discovered recently during EA’s Origin gaming event.

This wasn’t the first time Evernote encountered a security risk. In 2013, after a massive breach, the note taking app had to reset nearly 50 million passwords. To make things worse, it then changed its privacy policy, granting employees access to users’ data. However, the immense backlash forced Evernote to revert back to the original policy.

Evernote Mac app could have allowed hackers to remotely execute malicious code; now fixed
Previous Post Next Post