Evernote’s Chrome extension vulnerability affects to 4.6 million users

The world-renowned software Evernote is currently found to have serious security vulnerabilities, and the problem is the extension of Evernote on Google Chrome. This vulnerability allows an attacker to build a phishing website and then trigger a cross-site scripting attack that an attacker can use to read all the information on any website. For example, when a user uses online banking or paying for an order, the credit card number and security code can be recorded, and the entire stealing process requires little user interaction.

“IMG_8038” by masakiishitani is licensed under CC BY-NC-SA 2.0

According to statistics, there are about 4.6 million users worldwide using Evernote’s Google Chrome extension, and Evernote extensions for Firefox and other browsers are not affected. This vulnerability is mainly due to the logic error of the Evernote extension, which can bypass the browser’s same-origin policy to read the information on the website.

Under normal circumstances, the Evernote extension only reads the domain content that has been granted permissions, and the error allows the attacker to execute code and so on outside the granted domain. After destroying the website isolation function of Google Chrome, an attacker can read any website information, and the user can read it as long as the user visits the corresponding website. However, the attacker also needs to start building a phishing website to induce user access. After completing this step, a hacker can use the Evernote extension to do whatever hacker wants.

Evernote has fixed this vulnerability since it received the researcher’s report, so users can safely upgrade to the latest version of the extension.