Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday June 23 2019, @09:08AM   Printer-friendly
from the everleak dept.

Submitted via IRC for SoyCow4463

Critical Flaw in Evernote Add-On Exposed Sensitive Data of Millions

A critical flaw in the Evernote Web Clipper Chrome extension could allow potential attackers to access users' sensitive information from third party online services.

"Due to Evernote's widespread popularity, this issue had the potential of affecting its consumers and companies who use the extension – about 4,600,000 users at the time of discovery," says security company Guardio which discovered the vulnerability.

The security issue is a Universal Cross-site Scripting (UXSS) (aka Universal XSS) tracked as CVE-2019-12592 and stemming from an Evernote Web Clipper logical coding error that made it possible to "bypass the browser's same origin policy, granting the attacker code execution privileges in Iframes beyond Evernote's domain."

Once Chrome's site isolation security feature is broken, user data from accounts on other websites is no longer protected and this allows bad actors to access sensitive user info from third-party sites, "including authentication, financials, private conversations in social media, personal emails, and more."


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1) by RandomFactor on Sunday June 23 2019, @12:52PM

    by RandomFactor (3682) Subscriber Badge on Sunday June 23 2019, @12:52PM (#859057) Journal

    Evernote resolved the flaw within days, Guardio said, and there is no evidence the bug was exploited.

    The affected extension has over 4.6 million users, according to statistics on the Chrome Web Store, theoretically putting a large number of users at risk. Evernote's handling of the vulnerability is laudable, as the company issued an update (version 7.11.1) to address the vulnerability less than one week after being notified.

    Presumably automatic updates on extensions would have already fixed this for most, people that have those turned off should obviously upgrade manually however.

    --
    В «Правде» нет известий, в «Известиях» нет правды
(1)