A cross-site scripting vulnerability in Evernote’s Web Clipper Chrome extension allowed hackers access to active sessions of other websites in the same browser, according to security company Guardio. The vulnerability—designated as CVE-2019-12592—allowed attackers to bypass Chrome’s same-origin policy, creating a situation in which “code could be executed that could allow an attacker to perform actions on behalf of the user as well as grant access to sensitive user information on affected third-party web pages and services, including authentication, financials, private conversations in social media, personal emails, and more,” according to a press release.
The affected extension has over 4.6 million users, according to statistics on the Chrome Web Store, theoretically putting a large number of users at risk. Evernote’s handling of the vulnerability is laudable, as the company issued an update (version 7.11.1) to address the vulnerability less than one week after being notified.
SEE: Working remotely: A professional’s guide to the essential tools (free PDF) (TechRepublic)
Although seasoned IT veterans will likely recoil at the prospect of installing untrusted browser extensions—likely due to flashbacks of IE 6 toolbar bloat—the largely improved security model of Google Chrome may have lulled technical users into a false sense of safety. Though services such as Evernote are deserving of trust, installing extensions comes with as much risk as installing native applications on a computer—if not more, given their adjacent nature to session cookies and password stores.
For more, check out “Chrome extension with millions of users is now serving popup ads” or “Awesome Google Chrome extensions (May 2019 edition)” on ZDNet.
Note: A previous version of this story indicated Evernote Web Clipper had “over 4.7 million users.” The installation base of Evernote is just over 4.6 million users.