A major flaw has been discovered in the code of the Web Clipper Chrome extension of note-taking service Evernote.
The flaw, a universal XSS marked CVE-2019-12592 which could have allowed threat actors to extract personal information from the browser environment, was unearthed by security company Guardio and disclosed to Evernote in late May. Within a week, Evernote addressed the issue and rolled-out a complete fix.
According to Guardio: The logical coding error in the Web Clipper extension could have allowed an attacker to bypass the browser’s same origin policy, granting the attacker code execution privileges in Iframes beyond Evernote’s domain. As the browser’s domain-isolation mechanisms were broken, code could be executed that could allow an attacker to perform actions on behalf of the user as well as grant access to sensitive user information on affected third-party web pages and services, including authentication, financials, private conversations in social media, personal emails, and more.
Michael Vainshtein, CTO at Guardio, said: “The vulnerability we discovered is a testament to the importance of scrutinizing browser extensions with extra care. People need to be aware that even the most trusted extensions can contain a pathway for attackers. All it takes is a single unsafe extension to compromise anything you do or store online. The ripple effect is immediate and intense.”
The story highlights the importance of swift vulnerability disclosure, response and remediation, particularly given the fact that the flaw had the potential to affect any number of Evernote’s users (around 4,600,000 at the time of discovery).