You’ll know you’re one of those if Chrome says the installed Evernote Web Clipper is earlier than the patched version, 7.11.1, released on. Only the 4.6 million users of the Chrome extension need update (as far as we know, users of the Firefox, Opera, and Edge equivalents are unaffected). To demonstrate the danger, Guardio developed a proof-of-concept to show that it was possible to exploit the vulnerability to steal user data under real-world conditions. Injected payload is customized for each targeted website, able to steal cookies, credentials, private information, perform actions as the user and more. The attack would then load iFrame tags targeting specific services, hijacking Evernote to inject payloads into all iFrames: Identified as CVE-2019-12592, it is a Universal Cross-Site Scripting (UXSS) flaw caused by a “logical coding error” that breaks the browser’s domain isolation protection.įrom the description offered, exploiting it would require several steps, the first of which would be luring the user to a malicious or compromised website. Users of Evernote’s Web Clipper extension for Google Chrome should check it has been updated to the latest version after a security company published details of a dangerous security flaw.ĭiscovered by Guardio in May, ‘dangerous’ in this context means that anyone using it in its unpatched state is at risk not only of a compromise of their Evernote account but, potentially, of third-party accounts (email, social media, banking) they have open at the same time.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |