Cybersecurity researchers discover a critical flaw in the popular Evernote Chrome extension that could have allowed hackers to hijack your browser and steal sensitive information from any website you accessed.
Evernote is a popular service that helps people taking notes and organise their to-do task lists, and over 4,610,000 users have been using its Evernote Web Clipper Extension for Chrome browser.
Discovered by Guardio, the vulnerability (CVE-2019-12592) resided in the ways Evernote Web Clipper extension interacts with websites, iframes and inject scripts, eventually breaking the browser’s same-origin policy (SOP) and domain-isolation mechanisms.
According to researchers, the vulnerability could allow an attacker-controlled website to execute arbitrary code on the browser in the context of other domains on behalf of users, leading to a Universal Cross-site Scripting (UXSS or Universal XSS) issue.
“A full exploit that would allow loading a remote hacker controlled script into the context of other websites can be achieved via a single, simple window.postMessage command,” the researchers said.
“By abusing Evernote’s intended injection infrastructure, the malicious script will be injected into all target frames in the page regardless of cross-origin constraints.”
images from Hacker News