A new Evernote vulnerability was recently announced which has been found to allow hackers to hijack files from the victims. It is a cross-site scripting bug (XSS) which also gives the operators the ability to execute arbitrary commands. While a patch was released, soon after its release it was confirmed that the flaw still allowed hackers to inject malware code.
The Evernote Vulnerability Endangers Windows Users
The popular Evernote Windows application has been found to be vulnerable to a cross-site scripting which was known in the past. It was patched by the company back in October with the release of a beta version, later on the fix was available to all users. The bug back then was tracked in the CVE-2018-18524 advisory which is currently under embargo.
However later on a security researcher known under the nickname Sebao has found that the file hijack problem was resolved however at the same time the other problem remains. Patched Windows versions of the Evernote app have been found to still allow malicious users to execute malicious arbitrary code. A proof-of-concept demonstration was done using a photo as a payload file.
The mechanism of injection is very simple and it can be abused even by beginner hackers. It follows a step-by-step process:
- A photo must be added to a user note. This can be any file that the user might use.
- When it is renamed with the following name “” onclick=”alert(1)”>.jpg” Evernote’s engine will automatically launch the onclick action.
- Such files can be easily spread on the Internet.
By using common XSS scripts the researcher was able to read the contents of local files and interact with the computer. Another example was the capability to launch an application. To read the full disclosure access the security announcement.