Evernote Web Clipper for Chrome was exploitable with cross-site scripting

A vulnerability in the Evernote Web Clipper’s Chrome extension allowed the collection of user data through cross-site scripting. This vulnerability made it possible to steal data from other websites.

The leak was discovered by security firm Guardio. That discovered a way to abuse the extension to read information not only from Evernote itself, but also from other websites. The vulnerability, trackable under CVE-2019-12592, has since been fixed by Evernote.

To perform the exploit, attackers had to send the victim to a compromised website. On that website, the vulnerability in the Web Clipper was exploited by iframes containing code that can, for example, steal cookies or obtain login data. Before the attack, the attackers had to create a separate iframe for every website they wanted to look at or from which they wanted to obtain information. In a proof-of-concept they show how they can post a message on Facebook via the vulnerability.

The vulnerability in the extension allowed it to bypass Chrome’s domain isolation security. The extension on Firefox was not vulnerable. The Web Clipper for Chrome was used by 4.6 million people, but as far as we know, the vulnerability has not been actively exploited.