A critical flaw in the Evernote Web Clipper Chrome extension could allow potential attackers to access users' sensitive information from third party online services.
In Chrome, navigate to Evernote Web Clipper. Click the green Download for Chrome button in the center of the page. The page shown in this figure invites you to download Web Clipper. Click the Add button in the dialog box that descends from the top of your web browser. Use the Evernote extension to save things you see on the web into your Evernote account. Available on Chrome. You will need Google Chrome to install most apps, extensions and themes. Here are the best Chrome extensions to improve productivity, save time and money, and let you have a little fun when using your Google browser.
Evernote lets you use a search filter to show only notes created using the Web Clipper. To bring up a list of all the notes created with the Web Clipper, enter 'source:web.clip' in the search bar. Note: To bring up a list of notes clipped from the Web Clipper on Mac, click inside the search bar, then type 'web clips' or select Add Search Option. Clipped content is always available in your Evernote account, whenever and wherever you need it. Annotate screenshots Take a screenshot of a webpage, then add text, callouts or annotations to highlight important information so you never forget why you saved it. Organize on the fly Add tags and remarks, edits titles, and save content to any.
'Due to Evernote's widespread popularity, this issue had the potential of affecting its consumers and companies who use the extension – about 4,600,000 users at the time of discovery,' says security company Guardio which discovered the vulnerability.
The Universal Cross-site Scripting flaw
The security issue is a Universal Cross-site Scripting (UXSS) (aka Universal XSS) tracked as CVE-2019-12592 and stemming from an Evernote Web Clipper logical coding error that made it possible to 'bypass the browser's same origin policy, granting the attacker code execution privileges in Iframes beyond Evernote's domain.'
Once Chrome's site isolation security feature is broken, user data from accounts on other websites is no longer protected and this allows bad actors to access sensitive user info from third-party sites, 'including authentication, financials, private conversations in social media, personal emails, and more.'
This can be done by redirecting the targets to hacker-controlled websites that load hidden iframes with the targeted third-party websites and trigger an exploit designed to force Evernote to inject a malicious payload into all loaded iframes, a payload that will 'steal cookies, credentials, private information, perform actions as the user and more.'
Guardio designed a working Proof-of-Concept (PoC) for the CVE-2019-12592 flaw that demonstrates how to gain access to the social media and financial info, shopping data, private messages, authentication data, and emails of anyone using a vulnerable Evernote Web Clipper Chrome extension version.
Evernote Web Clipper UXSS vulnerability already fixed
Evernote has already fully patched the vulnerability in under a week from receiving Guardio's responsible disclosure report on May 27 and rolled out the fix to all users on May 31, with the patch being confirmed as fully functional on June 4.
To make sure that you're using a patched version of Evernote's Web Clipper Chrome extension you have to go to the Evernote Chrome extension page at chrome://extensions/?id=pioclpoplcdbaefihamjohnefbikjilc and check if you have version 7.11.1 or greater installed.
'The vulnerability we discovered is a testament to the importance of scrutinizing browser extensions with extra care. People need to be aware that even the most trusted extensions can contain a pathway for attackers,' said Guardio CTO Michael Vainshtein.
'All it takes is a single unsafe extension to compromise anything you do or store online. The ripple effect is immediate and intense.'
In 2017, Evernote had to backtrack on a proposed 'improvement' to the Privacy Policy that allowed its staff members to read users' unencrypted notes after huge user backlash.
More recently, during mid-April, Evernote fixed a path traversal vulnerability that allowed attackers to remotely run locally stored apps or files on their targets' Macs.
Related Articles:
No one can remember everything and that’s why we make notes. Making a note is not tough but organizing and producing it when required takes skills. I used to use sticky notes on my computer and stock notes on my Android to keep track of things but, believe me, it was a painful task.
If you too think you are stuck up with the conventional way and wish to make your notes worth reading, I think Evernote is the best solution.
What is Evernote
Evernote is an excellent web service to manage all your important notes in form of text, webpages, photographs, or even voice memos. These notes are stored on web servers and thus can be accessed from anywhere provided you have a working internet connection. Moreover, Evernote has designed mobile applications for almost all high-end smartphones thus providing you assistance wherever you go.
Not only Evernote remembers your notes but helps you to access them easily by organizing them. You can search for notes by keywords, titles, and tags. Also, Evernote magically makes printed and handwritten text inside your images searchable (which is pretty cool in my opinion).
Evernote Clipper For Chrome
If you don’t have an Evernote account you may make one for free and enjoy its outstanding capabilities right on.
Clip to Evernote Chrome Extension
Chrome Evernote Extension
Most of us use bookmarks or Read it Later like services to save online webpages for future references. The biggest disadvantage of doing so is that every data is stored locally and there is no fail-safe method to recover them if your computer were to go haywire. Also organizing bookmarks is a tedious task and producing them for references later can be frustrating.
By using the Clip to Evernote extension for Chrome you can save webpages or part of it in form of text, links or images all with a single click. Also, you can search through your Evernote repository whenever you search on Google, Bing or Yahoo.
How To Install The Extension
If you are on Google Chrome, head over to Clip to Evernote page and click the Install button. The extension will download and install automatically. Once it’s successfully installed, you will see a green elephant icon next to your address bar. That’s your Evernote extension!
Saving Your First Clip
Step 1: Once you have the extension installed, click on it and login to your Evernote account by providing your login credentials.
Step 2: Once you are in, click on the clip article button and select the web article you want to clip and save.
Step 3: Your article will be clipped and saved automatically on the Evernote server. You can now add comments and tags to the note for future reference.
Voila, you can now access the webpage as note anywhere with out having the fear of loosing it. There are the Clip full page and Clip URL options too, that you can use when needed.
My Verdict
To be honest, I fell in love with the service and the extension when I first laid my hands on them. It’s an excellent service and a sure-shot replacement for Read it Later like services.
The above article may contain affiliate links which help support Guiding Tech. However, it does not affect our editorial integrity. The content remains unbiased and authentic.
Read Next
Evernote Web
Reviewing Memonic, a Feature-Rich Note Taking and Organizing Tool
Evernote Chrome Plugin
Reviewing Memonic, a Feature-Rich Note Taking and Organizing Tool.