A Critical flaw in Evernote exposed sensitive data of users to potential attackers

Due to an expository flaw, Evernote Web Clipper Chrome extension could be hijacked by potential hackers to retrieve user's personal information through third-party online services.

Because of the extensive use of Evernote, this flaw can affect its customer users (about 4,600,000 users), according to Guard, a security company which warned about the vulnerability.

The security flaw is a (UXSS) Universal Cross-site Scripting (also known as Universal XSS) traced as CVE-2019-12592 and originating from an Evernote Web Clipper logical code mistake that allowed to neglect the Chrome's same origin policy (SOP), allowing the hackers code-execution privileges in iframes, that allows them to gain access to sensitive user data.

The interruption in Google Chrome's site privacy protection feature means the data of users on connected accounts/services is vulnerable, and this enables the attackers to obtain users information including personal emails, financials, private conversations in social media sites and more from third-party services.

It works by redirecting the targets to the websites that are controlled by the hackers that load hidden iframes with the intended third-party sites activate an exploit which is made to pushes Evernote to insert a malicious payload that will steal credentials, cookies.


The security company Guard.io created an efficient Proof-of-Concept (PoC) for the CVE-2019-12592 flaw that shows how to get access to the shopping data, authentication data, financial info and private conversations of anyone using an unsafe Evernote Web Clipper.


Critical Flaw in Evernote Web Clipper UXSS patched

In under a week of Guard's revealing, Evernote has fixed the Web Clipper vulnerability.

The flaws were disclosed on May 27 and rolled out the repairs to all customers on May 31, with the patch being showed as fully functional on June 4.

Chief technology officer of Guardio, Michael Vainshtein said that all it requires is an only unsafe extension to jeopardize anything you do or save online. The ripple outcome is quick and intense.

Read next on DIW: Hackers and Cyber-criminals Have Discovered a Goldmine in The Form of Gaming Industry
Previous Post Next Post