A critical flaw in Evernote’s Web Clipper extension had exposed user data of millions of Evernote users. The flaw, which is a Universal Cross-site Scripting (UXSS) vulnerability, could permit attackers to access sensitive user information from malicious third-party websites.
Security firm Guardio came across this flaw in the extension last month. Additionally, a proof-of-concept (PoC) devised by the company showed that Web Clipper could be epxloited to gain sensitive information such as financial transaction history, private shopping lists, and more.
Guardio emphasizes that the UXSS flaw could be exploited in numerous ways after payload injection. “From here on out, a large number of implementations are possible - the ones provided to Evernote as part of Guardio’s PoC are only a small handful compared to what is within the realm of possibilities of malicious actors,” read the firm’s blog.
Upon notifying the security team of Evernote, the company quickly responded by developing a patch for this issue. The fix was released within a few days.