A critical flaw in the Evernote Web Clipper Chrome extension could allow potential attackers to access users’ sensitive information from third party online services.
- Once Chrome’s site isolation security feature is broken, user data from accounts on other websites is no longer protected and this allows bad actors to access sensitive user info from third-party sites
- Affected approximately 4,600,000 users
— Angelo G Longo (@aglongo) June 13, 2019
Javvad Malik, Security Awareness Advocate at KnowBe4:
“Add-ons, extensions, and other third-party apps always carry some degree of risk. Companies should be careful in vetting which extensions are allowed within the corporate environment. In this case, in order to exploit the vulnerability, attackers need to redirect targets to websites that they control, which then run exploits that can force Evernote to inject the malicious payload. One of the best defenses in such scenarios is to ensure users are trained up so they are less likely to be tricked into accessing malicious sites that will download or inject malicious software to their machines.”