Cybersecurity researchers discover a critical flaw in the popular Evernote Chrome extension that could have allowed hackers to hijack your browser and steal sensitive information from any website you accessed.
“Upon successful exploitation, a visit to a hacker-controlled website would compromise the visitor’s private data from affected 3rd-party websites,” researchers with Gaurdio, who discovered the flaw, said in an analysis this week. “In their Proof-of-Concept (PoC), Guardio has demonstrated access to Social media (reading and posting content), Financial transaction history, private shopping lists, and more.”
As shown in the video demonstration, the researchers also developed a Proof-of-Concept (PoC) exploit that can inject a customized payload on targeted websites, and steal cookies, credentials, and other private information from an unsuspecting user.
“The exploit is triggered by the malicious website and causes Evernote’s internal infrastructure to inject an attacker controlled payload into all iframes contexts,” researchers said.
A user first must be persuaded to go to the attacker’s malicious website, perhaps from an email or social media link. That malicious website then silently loads hidden, legitimate iframe tags of targeted websites. An iframe tag is an HTML document embedded inside another HTML document on a website.
Guardio team responsibly reported this issue to Evernote late last month, who then released an updated, patched version of its Evernote Web Clipper extension for Chrome users.
Since Chrome Browser periodically, usually after every 5 hours, checks for new versions of installed extensions and updates them without requiring user intervention, you need to make sure your browser is running the latest Evernote version 7.11.1 or later.