CVE-2019-12592: Evernote Web Clipper For Chrome Flaw Allows Data Theft

The Evernote Web Clipper For Chrome extension has been identified to contain a very dangerous flaw described in the CVE-2019-12592 advisory allowing for sensitive user data to be acquired. According to the released information the cause for this vulnerability is a logical coding error in the application.

Evernote Web Clipper For Chrome Bug Leaks Data According To CVE-2019-12592

A security issue has been identified in one of the most popular plugins used by Google Chrome Users — The Evernote Web Clipper. This is an extension that is installed alongside the main Evernote application if the user has a Google Chrome installation. The purpose of Web Clipper for Chrome is to help with the acquisition of different content data and send it to the application.

relacionado: Vulnerabilidade do Evernote abusada para roubar arquivos de usuários vítimas

The problem has been found in the way the browser handles the same-origin policy, a security feature which is used to isolate the interactive contents from running code that can lead to various malicious actions. The actual flaw can be called into action by leading the intended victims to hacker-crafted sites which will trigger the issue. For the purpose of proving that the flaw is real a proof-of-concept has been presented. The step-by-step process is the following:

  1. The users are led to the hacker-made page — this can be done by a link inserted through various means: Publicidades, banners, redirects and even stolen or hacked social media profiles.
  2. Upon visiting the site the built-in scripts will load malicious content that are hidden in various tags and automatically processed by the browsers.
  3. A code injection will be launched into the browsers.
  4. The code will be launched on the local host making it possible to steal sensitive information.

By abusing the Evernote Web Clipper For Chrome flaw the attackers can gather information that can reveal the identity of the victims, certain machine metrics and all data contained within the victim browsers. Furthermore as this is a script-based approach the criminals may also cause malicious code execution. In an attack scenario this may provide a suitable method for spreading mineiros criptomoeda and other common malware. Evernote has issued a security patch and we urge that all users update their desktop apps and extensions.


Martin Beltov

Martin formou-se na publicação da Universidade de Sofia. Como a segurança cibernética entusiasta ele gosta de escrever sobre as ameaças mais recentes e mecanismos de invasão.

mais Posts - Local na rede Internet

Me siga:
TwitterGoogle Plus

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar