Flaw in Evernote Web Clipper for Chrome extension allows stealing data

Security experts discovered a vulnerability in the popular Evernote Web Clipper for Chrome can be exploited to steal sensitive data from sites visited by users.

Security experts at browser security firm Guardio discovered a critical universal cross-site scripting (XSS) vulnerability in the Evernote Web Clipper for Chrome.

“In May 2019 Guardio’s research team has discovered a critical vulnerability in Evernote Web Clipper for Chrome.” reads a blog post published by Guardio. “A logical coding error made it is possible to break domain-isolation mechanisms and execute code on behalf of the user – granting access to sensitive user information not limited to Evernote’s domain.”

The vulnerability, tracked as CVE-2019-12592, could be exploited by attackers operating malicious websites to bypass the browser’s same-origin policy (SOP) and execute arbitrary code on the victim’s behalf.

The Evernote Web Clipper extension for Chrome allows users to easily save online content to Evernote, including web pages, articles, images, text, and emails. The popular extension has over 4.6 million users.

The attack scenario sees hackers tricking victims into visiting specially crafted websites that load hidden iframes.

The vulnerability discovered by the experts in the Evernote extension allows an attacker to inject a malicious payload into all iframe contexts and steal credentials, cookies, and other data.

Researchers published a video PoC of the attacks that shows how hackers can steal a user’s Facebook information and data on PayPal transactions.

The researchers also provided a description of a Proof-of-Concept (PoC) attacks to steal sensitive data from an unsuspecting user, below the attack scenario:

User navigates to the attacker’s malicious website (e.g. via social media, email, a compromised blog comment, etc.).
Malicious website silently loads hidden, legitimate iframe tags (link) of targeted websites.
The exploit is triggered by the malicious website and causes Evernote’s internal infrastructure to inject an attacker controlled payload into all iframes contexts.
Injected payload is customized for each targeted website, able to steal cookies, credentials, private information, perform actions as the user and more.

Below the timeline of the flaw:

May 27th, 2019 – Initial disclosure.
May 28th, 2019 – Follow-up email.
May 28th, 2019 – Issue confirmed and classified as a vulnerability.
May 29th, 2019 – Credited on Evernote’s Security Page (link).
May 31st, 2019 – Evernote Web Clipper 7.11.1 released.
June 4th, 2019 – Fix confirmed.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Evernote Web Clipper for Chrome, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.