Upon notifying the security team of Evernote, the company quickly responded by developing a patch for this issue. “From here on out, a large number of implementations are possible - the ones provided to Evernote as part of Guardio’s PoC are only a small handful compared to what is within the realm of possibilities of malicious actors,” read the firm’s blog. Guardio emphasizes that the UXSS flaw could be exploited in numerous ways after payload injection. Apart from Evernote accounts, Guardio also mentions that the flaw impacts certain third-party services.The exploit developed by the researchers showed that malicious websites can be loaded with harmful payloads which compromise information through Evernote’s internal infrastructure.Marked as CVE-2019-12592, the flaw left sensitive information of around 4.6 million Evernote users vulnerable.According to Guardio’s security researchers, the UXSS flaw was the result of a logical coding error along with an input sanitization issue in the Web Clipper extension.Additionally, a proof-of-concept (PoC) devised by the company showed that Web Clipper could be epxloited to gain sensitive information such as financial transaction history, private shopping lists, and more. Security firm Guardio came across this flaw in the extension last month. The tool is available for Google Chrome, Internet Explorer, Firefox and Opera. The flaw, which is a Universal Cross-site Scripting (UXSS) vulnerability, could permit attackers to access sensitive user information from malicious third-party websites. You can take notes as text, articles, bookmarks or even the entire web page. The flaw existed in the Chrome extension of Evernote Web Clipper.Ī critical flaw in Evernote’s Web Clipper extension had exposed user data of millions of Evernote users. It is estimated that the issue affected around 4.6 million users at the time of its discovery.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |