Evernote Vulnerability Abused To Steal Files From Victim Users
NEWS

Evernote Vulnerability Abused To Steal Files From Victim Users

A new Evernote vulnerability was recently announced which has been found to allow hackers to hijack files from the victims. It is a cross-site scripting bug (XSS) which also gives the operators the ability to execute arbitrary commands. While a patch was released, soon after its release it was confirmed that the flaw still allowed hackers to inject malware code.




The Evernote Vulnerability Endangers Windows Users

The popular Evernote Windows application has been found to be vulnerable to a cross-site scripting which was known in the past. It was patched by the company back in October with the release of a beta version, later on the fix was available to all users. The bug back then was tracked in the CVE-2018-18524 advisory which is currently under embargo.

However later on a security researcher known under the nickname Sebao has found that the file hijack problem was resolved however at the same time the other problem remains. Patched Windows versions of the Evernote app have been found to still allow malicious users to execute malicious arbitrary code. A proof-of-concept demonstration was done using a photo as a payload file.

Related:
A security researcher has announced the discovery of a vulnerability tracked in cve-2018-4013 in two of the most popular media players ? MPlayer and VLC
CVE-2018-4013: MPlayer and VLC Both Affected by a Critical Vulnerability

The mechanism of injection is very simple and it can be abused even by beginner hackers. It follows a step-by-step process:

  • A photo must be added to a user note. This can be any file that the user might use.
  • When it is renamed with the following name “” onclick=”alert(1)”>.jpg” Evernote’s engine will automatically launch the onclick action.
  • Such files can be easily spread on the Internet.

By using common XSS scripts the researcher was able to read the contents of local files and interact with the computer. Another example was the capability to launch an application. To read the full disclosure access the security announcement.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...