SUBSCRIBE TO TMCnet
TMCnet - World's Largest Communications and Technology Community

TMC NEWS

TMCNET eNEWSLETTER SIGNUP

Guardio Discovers Major Vulnerability in Evernote's Chrome Extension
[June 12, 2019]

Guardio Discovers Major Vulnerability in Evernote's Chrome Extension


TEL AVIV, Israel, June 12, 2019 /PRNewswire/ -- Guardio, a leading browser-centric and cloud security company, discovered a major flaw in Evernote's Web Clipper Chrome extension's code that left it vulnerable, potentially allowing threat actors to access personal information from users' online services.

The vulnerability, a Universal XSS marked CVE-2019-12592, was discovered as part of Guardio's ongoing security analysis efforts using a combination of internal technology and researchers. Guardio disclosed the vulnerabilities to Evernote during the last week of May, which prompted Evernote to address them and roll out a complete fix - within less than a week.

Due to Evernote's widespread popularity, this issue had the potential of affecting its consumers and companies who use the extension – about 4,600,000 users at the time of discovery.

The logical coding error in the Web Clipper extension could have allowed an attacker to bypass the browser's same origin policy, granting the attacker code execution privileges in Iframes beyond Evernote's domain. As the browser's domain-isolation mechanisms were broken, code could be executed that could allow an attacker to perform actions on behalf of the user as well as grant access to sensitive user information on affeced third-party web pages and services, including authentication, financials, private conversations in social media, personal emails, and more.



According to its security page, Evernote "periodically assesses its infrastructure and applications for vulnerabilities and remediates those that could impact the security of customer data."

As the trend to move to the cloud continues, the browser is becoming the users de-facto OS - replacing where users use their applications and access their data. While app authors strive to provide faster, smoother user experiences, extensions usually have permissions to access a trove of sensitive resources, inadvertently posing a much greater security risk than traditional websites. Guardio's protection comes into play in these new potentially vulnerable threat areas.


"The vulnerability we discovered is a testament to the importance of scrutinizing browser extensions with extra care. People need to be aware that even the most trusted extensions can contain a pathway for attackers," said Michael Vainshtein, CTO, Guardio. "All it takes is a single unsafe extension to compromise anything you do or store online. The ripple effect is immediate and intense."

About Guardio

Guardio is a new breed of cyber security product designed to tackle threats and security concerns within the browser. Mitigating threats from malicious or unwanted extensions is an integral part of how Guardio protects its users, able to neutralize harmful extensions in real-time. Combined with strong anti-phishing capabilities, malicious ad blocking and information leak monitoring. Guardio bundles a complete online protection suite where it matters most - your browser.

Media Contact
Amy Kenigsberg, K2 Global Communications
http://k2-gc.com/ 
amy@k2-gc.com 
Tel: +972-9-794-1681 (+2 GMT)
Mobile: +972-524-761-341
U.S.: +1-913-440-4072 (+7 ET)

 

Cision View original content:http://www.prnewswire.com/news-releases/guardio-discovers-major-vulnerability-in-evernotes-chrome-extension-300866322.html

SOURCE Guardio LTD.


[ Back To TMCnet.com's Homepage ]









Technology Marketing Corporation

35 Nutmeg Drive Suite 340, Trumbull, Connecticut 06611 USA
Ph: 800-243-6002, 203-852-6800
Fx: 203-866-3326

General comments: tmc@tmcnet.com.
Comments about this site: webmaster@tmcnet.com.

STAY CURRENT YOUR WAY

© 2019 Technology Marketing Corporation. All rights reserved | Privacy Policy