Experts in website security audits report the finding of a critical vulnerability in the extension of Evernote for Chrome browser that, if exploited, would allow hackers to hijack the victim’s browser and extract confidential information about the visited websites.
It is worth mentioning that Evernote is a
widely used service that helps users to take notes and organize their lists of
outstanding tasks; according the developers, currently the Evernote Web Clipper
extension for Chrome browser has more than 4.5 million users.
The vulnerability, which was tracked as
CVE-2019-12592 and discovered by experts in website security audits of the firm
Guardio, exists due to the way in which the extension of Chrome interacts with
the websites, iframes and scripts, breaking with the Same Origin Policy (SOP)
and domain isolation mechanisms.
In their report, experts mention that, when the
flaw is exploited, a website under threat actors’ control could execute
arbitrary code in the browser in the context of other domains on the users’
behalf, triggering a universal cross-site
scripting (UXSS) condition. “An exploit that allows you to load a
script controlled by the attacker can be used with only one window.postMessage”
command, mentions the experts’ report. “Abusing the Evernote
infrastructure, the malicious script is injected into all the frames on the
page”.
Experts in website security audits created a
proof-of-concept exploit that can be used to inject a specially crafted payload
into the target website to steal browsing cookies, web platform access
credentials, among other confidential information of the victim.
Specialists from the International Institute of
Cyber Security (IICS) consider that, while browser extensions can add truly
useful features, it is difficult to make sure that all third-party developments
work correctly, which leaves the way open for multiple security failures and
hackers willing to exploit them.
The company was notified of the vulnerability
and released a corrected version for Chrome users. This browser periodically
searches for updated versions of the extensions installed by the user, so that
the user does not require performing additional actions.
