Threat Watch

Evernote Web Clipper Extension Found to Have UXSS Vulnerability

Evernote Web Clipper is a browser extension that allows users to capture full-page articles, images, selected texts, important emails, and webpages. There are 4,610,745 documented users who have downloaded the extension through the Chrome web store, and they could all be vulnerable to the flaw. If the vulnerability (CVE-2019-12592) is exploited, it could allow for unauthorized access to information such as financial transaction history, private shopping lists, personal emails, and other sensitive data through malicious third-party sites. The sites can be loaded with payloads that obtain the user’s information through Evernote’s internal infrastructure. Other third-party services could also be affected by the flaw, noted researchers. Once the payload is injected, exploitation of the flaw can be carried out in many ways. Furthermore, the research statement read, “From here on out, a large number of implementations are possible – the ones provided to Evernote as part of Guardio’s PoC are only a small handful compared to what is within the realm of possibilities of malicious actors.” Evernote’s security team was quick to act after being notified and a fix was promptly released.

ANALYST NOTES

Users who have the Evernote Web Clipper extension are suggested to update and download the patch immediately. Since email and financial information may have been accessed, it is suggested that users monitored those accounts and any associated with them for suspicious activity.