Evernote’s web clipper extension for Chrome is vulnerable to a critical flaw that could have exposed the data of more than 4.6 million users.

UPDATE

A critical flaw in the popular note-taking Evernote extension could have allowed attackers to steal personal data – including emails and financial transactions – of millions.

Specifically impacted was the Evernote Web Clipper extension for the Chrome browser, which lets users capture full-page article, images, selected text, emails and more. The Evernote extension is extremely popular, putting the personal data of than 4.6 million users at risk, researchers said.

“Upon successful exploitation, a visit to a hacker-controlled website would compromise the visitor’s private data from affected 3rd-party websites,” researchers with Gaurdio, who discovered the flaw, said in an analysis this week. “In their Proof-of-Concept (PoC), Guardio has demonstrated access to Social media (reading and posting content), Financial transaction history, private shopping lists, and more.”

Researchers disclosed the flaw to Evernote on May 27; a fix was confirmed on June 4. Evernote users are urged to update to version 7.11.1 or later.

“At Evernote, we have not found any evidence that the vulnerability reported by Guardio has been exploited and Guardio does not believe that anyone took advantage of the bug,” an Evernote spokesperson told Threatpost.

“We have a robust security program which includes working with many external security researchers; when we or a third-party discover vulnerabilities, we have a formal triage process that ensures that we appropriately prioritize and resolve/mitigate the vulnerability,” the spokesperson said. “In this case, due to the potential impact, we had patched the vulnerability and distributed a new release within 3 days of Guardio’s contacting us.”

The Vulnerability

In order to enable the Evernote extension’s functionalities (such as highlighting or screenshotting the content of websites), a file is injected into web pages that use the extension.

However, a logical coding error (CVE-2019-12592) left a function – used to provide a valid URL from the site to the extension’s namespace – unsanitized. That means that attackers could inject their own script into the webpage – granting them access to sensitive user information.

“The exploit is triggered by the malicious website and causes Evernote’s internal infrastructure to inject an attacker controlled payload into all iframes contexts,” researchers said.

In a proof of concept video (below), researchers broke down how an attacker might exploit the flaw.

A user first must be persuaded to go to the attacker’s malicious website, perhaps from an email or social media link. That malicious website then silently loads hidden, legitimate iframe tags of targeted websites. An iframe tag is an HTML document embedded inside another HTML document on a website.

These iframe tags have injected payload customized for each targeted website, that could steal cookies, credentials, private information, perform actions as the user and more, researchers said.

Evernote has faced security incidents over the years, saying in 2013 that attackers had compromised user information like email addresses and hashed passwords. And in 2014, Evernote fell victim to a distributed denial of service (DDoS) attack that shut down the service for hours.

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

This story was updated on June 13 at 4:58 p.m. ET with additional comments from Evernote.