A critical flaw in the Evernote Web Clipper Chrome extension could allow potential attackers to access users' sensitive information from third party online services.

"Due to Evernote's widespread popularity, this issue had the potential of affecting its consumers and companies who use the extension – about 4,600,000 users at the time of discovery," says security company Guardio which discovered the vulnerability.

The Universal Cross-site Scripting flaw

The security issue is a Universal Cross-site Scripting (UXSS) (aka Universal XSS) tracked as CVE-2019-12592 and stemming from an Evernote Web Clipper logical coding error that made it possible to "bypass the browser's same origin policy, granting the attacker code execution privileges in Iframes beyond Evernote's domain."

Once Chrome's site isolation security feature is broken, user data from accounts on other websites is no longer protected and this allows bad actors to access sensitive user info from third-party sites, "including authentication, financials, private conversations in social media, personal emails, and more."

Exploiting the flaw

This can be done by redirecting the targets to hacker-controlled websites that load hidden iframes with the targeted third-party websites and trigger an exploit designed to force Evernote to inject a malicious payload into all loaded iframes, a payload that will "steal cookies, credentials, private information, perform actions as the user and more."

Guardio designed a working Proof-of-Concept (PoC) for the CVE-2019-12592 flaw that demonstrates how to gain access to the social media and financial info, shopping data, private messages, authentication data, and emails of anyone using a vulnerable Evernote Web Clipper Chrome extension version.

Evernote Web Clipper UXSS vulnerability already fixed

Evernote has already fully patched the vulnerability in under a week from receiving Guardio's responsible disclosure report on May 27 and rolled out the fix to all users on May 31, with the patch being confirmed as fully functional on June 4.

To make sure that you're using a patched version of Evernote's Web Clipper Chrome extension you have to go to the Evernote Chrome extension page at chrome://extensions/?id=pioclpoplcdbaefihamjohnefbikjilc and check if you have version 7.11.1 or greater installed.

"The vulnerability we discovered is a testament to the importance of scrutinizing browser extensions with extra care. People need to be aware that even the most trusted extensions can contain a pathway for attackers," said Guardio CTO Michael Vainshtein.

"All it takes is a single unsafe extension to compromise anything you do or store online. The ripple effect is immediate and intense."

In 2017, Evernote had to backtrack on a proposed "improvement" to the Privacy Policy that allowed its staff members to read users' unencrypted notes after huge user backlash.

More recently, during mid-April, Evernote fixed a path traversal vulnerability that allowed attackers to remotely run locally stored apps or files on their targets' Macs.