sincity Posted June 13, 2019 Share Posted June 13, 2019 Security researchers have discovered a critical flaw in the Evernote Web Clipper Chrome extension which could allow potential attackers to access a users' personal information from third party services online.The vulnerability, a Universal Cross-site Scripting (UXSS) referred to as CVE-2019-12592, was discovered by the security company Guardio as part of its ongoing security analysis efforts using a combination of its own internal technology and researchers.After the discovery, the firm immediately disclosed the vulnerability to Evernote and the note taking service quickly rolled out a complete fix in less than a week.How to fix Google ChromeGoogle boosts password security with Password Checkup Chrome extensionMicrosoft confirms Edge will be able to use Google Chrome ExtensionsHowever, due to the Evernote's widespread popularity, the issue could have potentially affected the 4.6m consumers and businesses that use its Chrome extension.Web Clipper extensionBefore Evernote fixed the issue, the logical coding error in the Web Clipper extension could have allowed an attacker to bypass Chrome's same origin policy which would have granted them code execution privileges in Iframes on other site's besides Evernote.Without Chrome's domain-isolation mechanisms, code could be executed that could allow an attacker to perform actions on the user's behalf as well as grant access to sensitive user information on affected third-party web pages and services including authentication, financial details, social media conversations, personal emails and more.Guardio's CTO Michael Vainshtein explained why browser extensions need to be scrutinized thoroughly, saying:"The vulnerability we discovered is a testament to the importance of scrutinizing browser extensions with extra care. People need to be aware that even the most trusted extensions can contain a pathway for attackers. All it takes is a single unsafe extension to compromise anything you do or store online. The ripple effect is immediate and intense." We've also rounded up the best online collaboration toolsVia Bleeping Computerhttp://feeds.feedburner.com/~r/techradar/digital-home/~4/r_OAsHSFaHE Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.