Evernote Chrome extension vulnerability allowed attackers to steal 4.6M users' data

A cross-site scripting vulnerability was discovered popular note-taking application Evernote, though the company patched it in under a week.

Evernote: How this note-taking app can make business pros more efficient It's essential to keep good notes in the business world. Here's how Evernote can help.

A cross-site scripting vulnerability in Evernote's Web Clipper Chrome extension allowed hackers access to active sessions of other websites in the same browser, according to security company Guardio. The vulnerability—designated as CVE-2019-12592—allowed attackers to bypass Chrome's same-origin policy, creating a situation in which "code could be executed that could allow an attacker to perform actions on behalf of the user as well as grant access to sensitive user information on affected third-party web pages and services, including authentication, financials, private conversations in social media, personal emails, and more," according to a press release.

The affected extension has over 4.6 million users, according to statistics on the Chrome Web Store, theoretically putting a large number of users at risk. Evernote's handling of the vulnerability is laudable, as the company issued an update (version 7.11.1) to address the vulnerability less than one week after being notified.

SEE: Working remotely: A professional's guide to the essential tools (free PDF) (TechRepublic)

The Evernote Web Clipper allows users to clip, highlight, annotate, and screenshot content of websites, and save it to an Evernote account. To enable this functionality, a JavaScript file is injected into every web page. A function used to pass a URL to the extension's namespace was not properly sanitized, allowing hackers to inject their own script—which is then injected into every web page—then allowing for data exfiltration. Guardio provides a full technical explanation on their blog.

Although seasoned IT veterans will likely recoil at the prospect of installing untrusted browser extensions—likely due to flashbacks of IE 6 toolbar bloat—the largely improved security model of Google Chrome may have lulled technical users into a false sense of safety. Though services such as Evernote are deserving of trust, installing extensions comes with as much risk as installing native applications on a computer—if not more, given their adjacent nature to session cookies and password stores.

For more, check out "Chrome extension with millions of users is now serving popup ads" or "Awesome Google Chrome extensions (May 2019 edition)" on ZDNet.

Note: A previous version of this story indicated Evernote Web Clipper had "over 4.7 million users." The installation base of Evernote is just over 4.6 million users.

Also see

evernote.jpg

Image: Evernote

By James Sanders

James Sanders is a staff writer for TechRepublic. He covers future technology, including quantum computing, AI, and 5G, as well as cloud, security, open source, mobility, and the impact of globalization on the industry, with a focus on Asia.