Chrome extension critical flaw could enable XSS attacks

News by Rene Millman

Critical vulnerability in Evernote Web Clipper for Chrome enables hackers to access to a victim's sensitive information; it directly impacts 3rd party services and is not limited to a person's Evernote account.

Security researchers have critical vulnerability in Evernote Web Clipper for Chrome that would enable hackers to gain access to a victim’s sensitive information.
According to a blog post by researchers at Guardio, a logical coding error made it is possible to break domain-isolation mechanisms and execute code on behalf of the user - granting access to sensitive user information not limited to Evernote's domain.
"Financials, social media, personal emails, and more are all natural targets," said researchers. The Universal XSS vulnerability was marked as CVE-2019-12592.
They added that upon successful exploitation, a visit to a hacker-controlled website would compromise the visitor’s private data from affected third-party websites. In their Proof-of-Concept (PoC), Guardio has demonstrated access to Social media (reading and posting content), Financial transaction history, private shopping lists, and more.
"In contrast to most critical extension vulnerabilities in the past, such as the infamous Grammarly security bug, this vulnerability directly impacts third party services and is not limited to a person’s Evernote account," said researchers.
In the proof-of-concept, a user navigates to the attacker’s malicious website (eg via social media, email, a compromised blog comment, etc.). Then malicious website silently loads hidden, legitimate iframe tags (link) of targeted websites. The exploit is triggered by the malicious website and causes Evernote’s internal infrastructure to inject an attacker-controlled payload into all iframes contexts. Then, the injected  payload is customised for each targeted website, able to steal cookies, credentials, private information, perform actions as the user and more.
Researchers said the flaw provides a means of a Universal XSS injection into any framed website as controlled by the attacker.
"From here on out, a large number of implementations are possible - the ones provided to Evernote as part of Guardio’s PoC are only a small handful compared to what is within the realm of possibilities of malicious actors," said researchers.
As a result of Guardio’s disclosure, Evernote has patched the vulnerability and a fixed version has been deployed.
"This vulnerability is a testament to the importance of treating browser extensions with extra care and only installing extensions from trusted sources," said researchers. "All it takes is a single unsafe extension to compromise anything possible for you to do online (financials, social media, personal emails, and more)."
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that add-ons, extensions, and other third-party apps always carry some degree of risk. 
"Companies should be careful in vetting which extensions are allowed within the corporate environment. In this case, in order to exploit the vulnerability, attackers need to redirect targets to websites that they control, which then run exploits that can force Evernote to inject the malicious payload," he said.
"One of the best defences in such scenarios is to ensure users are trained up so they are less likely to be tricked into accessing malicious sites that will download or inject malicious software to their machines."
Boris Cipot, senior security engineer at Synopsys, told SC Media that the  steps to mitigation are the same as with any other software they use. 
"Make a list of used - or better to say allowed, used software - and their extensions and monitor its development and vulnerability notifications. In  case something happens you need to block or uninstall this piece of software from the users’ computers either by policy invocation or other software that takes care of your installed software packages on user machines," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews