The Evernote Web Clipper For Chrome extension has been identified to contain a very dangerous flaw described in the CVE-2019-12592 advisory allowing for sensitive user data to be acquired. According to the released information the cause for this vulnerability is a logical coding error in the application.
Evernote Web Clipper For Chrome Bug Leaks Data According To CVE-2019-12592
A security issue has been identified in one of the most popular plugins used by Google Chrome Users — The Evernote Web Clipper. This is an extension that is installed alongside the main Evernote application if the user has a Google Chrome installation. The purpose of Web Clipper for Chrome is to help with the acquisition of different content data and send it to the application.
The problem has been found in the way the browser handles the same-origin policy, a security feature which is used to isolate the interactive contents from running code that can lead to various malicious actions. The actual flaw can be called into action by leading the intended victims to hacker-crafted sites which will trigger the issue. For the purpose of proving that the flaw is real a proof-of-concept has been presented. The step-by-step process is the following:
- The users are led to the hacker-made page — this can be done by a link inserted through various means: ads, banners, redirects and even stolen or hacked social media profiles.
- Upon visiting the site the built-in scripts will load malicious content that are hidden in various tags and automatically processed by the browsers.
- A code injection will be launched into the browsers.
- The code will be launched on the local host making it possible to steal sensitive information.
By abusing the Evernote Web Clipper For Chrome flaw the attackers can gather information that can reveal the identity of the victims, certain machine metrics and all data contained within the victim browsers. Furthermore as this is a script-based approach the criminals may also cause malicious code execution. In an attack scenario this may provide a suitable method for spreading cryptocurrency miners and other common malware. Evernote has issued a security patch and we urge that all users update their desktop apps and extensions.