Evernote Chrome extension vulnerability allowed attackers to steal 4.6M users' data

[steven36]

A cross-site scripting vulnerability was discovered popular note-taking application Evernote, though the company patched it in under a week.

 

 

 

A cross-site scripting vulnerability in Evernote's Web Clipper Chrome extension allowed hackers access to active sessions of other websites in the same browser, according to security company Guardio. The vulnerability—designated as CVE-2019-12592—allowed attackers to bypass Chrome's same-origin policy, creating a situation in which "code could be executed that could allow an attacker to perform actions on behalf of the user as well as grant access to sensitive user information on affected third-party web pages and services, including authentication, financials, private conversations in social media, personal emails, and more," according to a press release.

 

The affected extension has over 4.6 million users, according to statistics on the Chrome Web Store, theoretically putting a large number of users at risk. Evernote's handling of the vulnerability is laudable, as the company issued an update (version 7.11.1) to address the vulnerability less than one week after being notified.

 

The Evernote Web Clipper allows users to clip, highlight, annotate, and screenshot content of websites, and save it to an Evernote account. To enable this functionality, a JavaScript file is injected into every web page. A function used to pass a URL to the extension's namespace was not properly sanitized, allowing hackers to inject their own script—which is then injected into every web page—then allowing for data exfiltration. Guardio provides a full technical explanation on their blog.

 

 

Although seasoned IT veterans will likely recoil at the prospect of installing untrusted browser extensions—likely due to flashbacks of IE 6 toolbar bloat—the largely improved security model of Google Chrome may have lulled technical users into a false sense of safety. Though services such as Evernote are deserving of trust, installing extensions comes with as much risk as installing native applications on a computer—if not more, given their adjacent nature to session cookies and password stores.

 

Source