Security experts at browser security firm Guardio discovered a critical universal cross-site scripting (XSS) vulnerability in the Evernote Web Clipper for Chrome.
“In May 2019 Guardio’s research team has discovered a critical vulnerability in Evernote Web Clipper for Chrome.” reads a blog post published by Guardio. “A logical coding error
The vulnerability, tracked as CVE-2019-12592, could be exploited by attackers operating malicious websites to bypass the browser’s same-origin policy (SOP) and execute arbitrary code on the victim’s behalf.
The Evernote Web Clipper extension for Chrome allows users to easily save online content to Evernote, including web pages, articles, images, text, and emails. The popular extension has over 4.6 million users.
The attack scenario sees hackers tricking victims into visiting specially crafted
The vulnerability discovered by the experts in the Evernote extension allows an attacker to inject a malicious payload into all iframe contexts and steal credentials, cookies, and other data.
Researchers published a video PoC of the attacks that shows how hackers can steal a user’s Facebook information and data on PayPal transactions.
The researchers also provided a description of a Proof-of-Concept (PoC) attacks to steal sensitive data from an unsuspecting user, below the attack scenario:
Below the timeline of the flaw:
(SecurityAffairs – Evernote Web Clipper for Chrome, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.