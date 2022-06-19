Stories
Critical Flaw in Evernote Add-On Exposed Sensitive Data of Millions

posted by Fnord666 on Sunday June 23, @09:08AM
Software Security

A critical flaw in the Evernote Web Clipper Chrome extension could allow potential attackers to access users' sensitive information from third party online services.

"Due to Evernote's widespread popularity, this issue had the potential of affecting its consumers and companies who use the extension – about 4,600,000 users at the time of discovery," says security company Guardio which discovered the vulnerability.

The security issue is a Universal Cross-site Scripting (UXSS) (aka Universal XSS) tracked as CVE-2019-12592 and stemming from an Evernote Web Clipper logical coding error that made it possible to "bypass the browser's same origin policy, granting the attacker code execution privileges in Iframes beyond Evernote's domain."

Once Chrome's site isolation security feature is broken, user data from accounts on other websites is no longer protected and this allows bad actors to access sensitive user info from third-party sites, "including authentication, financials, private conversations in social media, personal emails, and more."

Original Submission


