Submitted via IRC for SoyCow4463
Critical Flaw in Evernote Add-On Exposed Sensitive Data of Millions
A critical flaw in the Evernote Web Clipper Chrome extension could allow potential attackers to access users' sensitive information from third party online services.
"Due to Evernote's widespread popularity, this issue had the potential of affecting its consumers and companies who use the extension – about 4,600,000 users at the time of discovery," says security company Guardio which discovered the vulnerability.
The security issue is a Universal Cross-site Scripting (UXSS) (aka Universal XSS) tracked as CVE-2019-12592 and stemming from an Evernote Web Clipper logical coding error that made it possible to "bypass the browser's same origin policy, granting the attacker code execution privileges in Iframes beyond Evernote's domain."
Once Chrome's site isolation security feature is broken, user data from accounts on other websites is no longer protected and this allows bad actors to access sensitive user info from third-party sites, "including authentication, financials, private conversations in social media, personal emails, and more."
(Score: 1) by RandomFactor on Sunday June 23 2019, @12:52PM
Presumably automatic updates on extensions would have already fixed this for most, people that have those turned off should obviously upgrade manually however.
В «Правде» нет известий, в «Известиях» нет правды