Evernote patches flaw potentially affecting 4.6 million users of Google Chrome extension

Written by

Evernote last month fixed a security flaw in a Google Chrome extension that could have allowed hackers to access information about roughly 4.6 million users, according to new research.

Security vendor Guardio announced Wednesday it had discovered a vulnerability in Evernote’s Web Clipper extension for Chrome that could have allowed attackers to bypass the browser’s “same origin policy,” a security protocol meant to limit malicious scripts from spreading.

Exploiting the flaw would have allowed attackers to gain privileges outside Evernote’s domain in Chrome — including access to a user’s other web content and services, researchers said.

Evernote resolved the flaw within days, Guardio said, and there is no evidence the bug was exploited.

Evernote did not respond to a request for comment from CyberScoop. The California company designs note-taking software that syncs and archives user files like lists, file attachments and websites between multiple devices.

“Evernote was at the top of the list of services our users use and when we did a static code analysis we found this vulnerability,” said Michael Vainshtein, Guardio’s chief technology officer.  “The deployed a fix within just a number of days, maybe two or three, after we discussed it. They were great.”

Guardio was formed roughly a year ago by veterans of the Israeli military’s cybersecurity units. The company examines source code of extensions in Google’s Chrome store for potential anomalies.

The vulnerability, classified as CVE-2019-12592 in the MITRE vulnerability database, could have given a hacker access to information such usernames and passwords, financial data, social media conversations and emails.

This disclosure comes roughly two months after Evernote implemented a security update for an unrelated vulnerability that could have allowed attackers to run malicious code in Evernote version 7.9 for macOS.

Before that, Evernote was forced to abandon a policy that would have allowed employees to read users’ notes had users not noticed an update that stated “… you cannot opt out of employees looking at your content.” The site also forced 50 million of its users to reset their passwords in 2013 following a security incident.