Researchers have found a critical flaw in Evernote’s web clipper extension that could have allowed hackers to access private information. Via a specially crafted website, Guardio was able to acess the financial, social media, and personal email information of a test user.
“A logical coding error made it is possible to break domain-isolation mechanisms and execute code on behalf of the user – granting access to sensitive user information not limited to Evernote’s domain,” explains the research team.
“Upon successful exploitation, a visit to a hacker-controlled website would compromise the visitor’s private data from affected 3rd-party websites. In their Proof-of-Concept (PoC), Guardio has demonstrated access to Social media (reading and posting content), Financial transaction history, private shopping lists, and more.”
Of course, getting a user to click on a suspicious link isn’t always an easy task. It’s unclear how much this flaw was exploited in the wild, but its impact on affected users would have been very large. Thankfully, Evernote patched the issue days after it was reported on May 27. It only affected the Chrome version, but Guardo says this could still amount to up to 4.6 million users.
The fact this follows previous breaches is also a concern. In 2013, Evernote admitted that hackers obtained emails and hashed passwords from its servers. This latest flaw is potentially more severe, as attackers can use hidden iframe tags to steal information like cookies and credentials from targetted websites like online banking.
As a result, Evernote recommends everyone updates to version 7.11.1 or later. Now that this flaw is public knowledge attackers will undoubtedly be trying to exploit it.