Fix released in ‘record time’

UPDATED Millions of users’ private information was at risk of a critical vulnerability in an extension for the popular content organizer Evernote, researchers have warned.

The Evernote Web Clipper was found to be exploitable by a cross-site scripting (XSS) attack due to an error that could allow a malicious actor to bypass Chrome’s same-origin policy.

This meant that an attacker could execute code on behalf of the user and be granted access to their personal data said researchers at Guardio, a cybersecurity technology firm.

“Upon successful exploitation, a visit to a hacker-controlled website would compromise the visitor’s private data from affected third-party websites,” Guardio said.

“In contrast to most critical extension vulnerabilities in the past, such as the infamous Grammarly security bug, this vulnerability directly impacts third-party services and is not limited to a person’s Evernote account.”

The vulnerability has been assigned as CVE-2019-12592.

Evernote Web Clipper for Chrome has been downloaded more than 4.6 million times, according to statistics provided by the Chrome Web Store.

A fix has since been issued and users are advised to update to the latest version of the extension, or above.

“This vulnerability is a testament to the importance of treating browser extensions with extra care and only installing extensions from trusted sources,” wrote the Guardio Research Team in a blog post.

“All it takes is a single unsafe extension to compromise anything possible for you to do online (financials, social media, personal emails, and more).”

Guardio also praised Evernote for its quick response time following the disclosure of the vulnerability – initial disclosure was made on May 27 and a fix was released in ‘record time’, just four days later.

Evernote is an application that allows users to take and organize notes across multiple platforms, utilized by millions.

The California-based company appears to have a positive relationship with the security community, historically releasing fixes in a timely fashion and highlighting top bug finds in its Security Hall of Fame.

A spokesperson from Evernote confirmed with The Daily Swig that all Web Clipper extensions, including Firefox, had been audited, with no versions left vulnerable.