Evernote extension for Chrome vulnerability allows confidential information theft

Experts in website security audits report the finding of a critical vulnerability in the extension of Evernote for Chrome browser that, if exploited, would allow hackers to hijack the victim’s browser and extract confidential information about the visited websites.

It is worth mentioning that Evernote is a widely used service that helps users to take notes and organize their lists of outstanding tasks; according the developers, currently the Evernote Web Clipper extension for Chrome browser has more than 4.5 million users.

The vulnerability, which was tracked as CVE-2019-12592 and discovered by experts in website security audits of the firm Guardio, exists due to the way in which the extension of Chrome interacts with the websites, iframes and scripts, breaking with the Same Origin Policy (SOP) and domain isolation mechanisms.

In their report, experts mention that, when the flaw is exploited, a website under threat actors’ control could execute arbitrary code in the browser in the context of other domains on the users’ behalf, triggering a universal cross-site scripting (UXSS) condition. “An exploit that allows you to load a script controlled by the attacker can be used with only one window.postMessage” command, mentions the experts’ report. “Abusing the Evernote infrastructure, the malicious script is injected into all the frames on the page”.

Experts in website security audits created a proof-of-concept exploit that can be used to inject a specially crafted payload into the target website to steal browsing cookies, web platform access credentials, among other confidential information of the victim.

Specialists from the International Institute of Cyber Security (IICS) consider that, while browser extensions can add truly useful features, it is difficult to make sure that all third-party developments work correctly, which leaves the way open for multiple security failures and hackers willing to exploit them. 

The company was notified of the vulnerability and released a corrected version for Chrome users. This browser periodically searches for updated versions of the extensions installed by the user, so that the user does not require performing additional actions.