One of Evernote's Chrome extensions was flawed in a way that a hacker could steal sensitive data through a third-party online service.
This was revealed by security firm Guardio which, not only disclosed the vulnerability to Evernote, but also designed a working proof-of-concept showing how a hacker could get information such as social media information, financial data, shopping data, messages, authentication information, emails.
Guardio also said that roughly 4,600,000 people are potential victims, given how many times the Evernote Web Clipper extension had been downloaded for Google Chrome. The flaw is called a Universal Cross-site Scripting (UXSS or Universal XSS), also known as CVE-2019-12592.
It does what it does by breaking Chrome's site isolation feature, it was said.
Evernote was notified on May 27, and issued a patch on May 31. It was confirmed that the patch was fully functional as of June 4.
If you are not certain if you are protected or not, head over to chrome://extensions/?id=pioclpoplcdbaefihamjohnefbikjilc and make sure you are running version 7.11.1 or greater.
The vulnerability we discovered is a testament to the importance of scrutinizing browser extensions with extra care. People need to be aware that even the most trusted extensions can contain a pathway for attackers," said Guardio CTO Michael Vainshtein.
"All it takes is a single unsafe extension to compromise anything you do or store online. The ripple effect is immediate and intense."
Image source: Shutterstock/deepadesigns