The Data of 4.6 Million Evernote Users Was Put at Risk Due to a Flaw in the Chrome Extension

Evernote Web Clipper Chrome Extension Security Vulnerability

You've heard how important it is to be careful with the browser extensions you install, and you know what sort of criteria you need to consider before you decide whether or not a particular addon should be allowed anywhere near your browser. Ideally, you'll only add extensions that come from well-known vendors, have large userbases, and enjoy mostly positive reviews. How does Evernote Web Clipper for Chrome stack up?

Well, it's developed by the same people who bring you Evernote – a popular note-taking application. The extension itself was rated by more than 130 thousand people, and it has achieved an average rating of about 4.7 stars, which is nothing short of impressive. According to the Chrome Web Store, it's been downloaded by more than 4.6 million users.

Theoretically, the extension is completely safe to use. In practice, however, up until a couple of weeks ago, it wasn't.

Evernote's Web Clipper Chrome extension had a critical security vulnerability

Last month, researchers from Guardio discovered a rather serious security flaw with the Web Clipper Chrome extension. It was a universal cross-site scripting vulnerability, which, as a proof-of-concept exploit demonstrates, could have been used to steal anything from Facebook account information to PayPal transaction data.

This is what made the vulnerability so dangerous. As Guardio notes, most vulnerable extensions have a fairly limited reach and only affect data that is handled by the addon's vendor. The flaw in the Web Clipper extension, however, enabled the theft of all sorts of information that's not related to Evernote in any way.

All the hackers needed to do was lure the victim to a malicious website and hide some code in an iframe. An error in the sanitization mechanisms meant that the extension could be forced to execute the code and let the criminals in.

Evernote quickly fixed the issue

As you can see, even big companies that provide service to many millions of users make mistakes when writing their software. In such cases, it's very important to see how these errors are fixed, and we're happy to report that Evernote took the matter very seriously.

On May 27, Guardio got in touch with the software vendor and privately disclosed the security issue. Within 24 hours, Evernote acknowledged the problem and started work on fixing it. The next day, credit to Guardio's researchers was put on Evernote's Security Hall of Fame, and two days later, on May 31, a new version of the Web Clipper Chrome extension was officially released. Guardio's experts have confirmed that the update fixes the vulnerability which means that if you use Web Clipper on your Chrome browser, you must make sure that its version is 7.11.1 or newer.

June 13, 2019

Leave a Reply