Major vulnerability in Evernote’s Web Clipper left user data of millions vulnerable

• It is estimated that the issue affected around 4.6 million users at the time of its discovery.
• The flaw existed in the Chrome extension of Evernote Web Clipper.

A critical flaw in Evernote’s Web Clipper extension had exposed user data of millions of Evernote users. The flaw, which is a Universal Cross-site Scripting (UXSS) vulnerability, could permit attackers to access sensitive user information from malicious third-party websites.

Security firm Guardio came across this flaw in the extension last month. Additionally, a proof-of-concept (PoC) devised by the company showed that Web Clipper could be epxloited to gain sensitive information such as financial transaction history, private shopping lists, and more.

Key highlights

• According to Guardio’s security researchers, the UXSS flaw was the result of a logical coding error along with an input sanitization issue in the Web Clipper extension.
• Marked as CVE-2019-12592, the flaw left sensitive information of around 4.6 million Evernote users vulnerable.
• The exploit developed by the researchers showed that malicious websites can be loaded with harmful payloads which compromise information through Evernote’s internal infrastructure.
• Apart from Evernote accounts, Guardio also mentions that the flaw impacts certain third-party services.

Worth noting

Guardio emphasizes that the UXSS flaw could be exploited in numerous ways after payload injection. “From here on out, a large number of implementations are possible - the ones provided to Evernote as part of Guardio’s PoC are only a small handful compared to what is within the realm of possibilities of malicious actors,” read the firm’s blog.

Upon notifying the security team of Evernote, the company quickly responded by developing a patch for this issue. The fix was released within a few days.