Page 16 - AeM_June_2019
P. 16
RESEARCH, ANALYSIS & TRENDS
Major vulnerability in Evernote’s Chrome
Extension discovered
Guardio, a new breed of cyber security product designed As the browser’s domain-isolation mechanisms were
to tackle threats and security concerns within the broken, code could be executed that could allow an
browser, discovered a major flaw in Evernote’s Web attacker to perform actions on behalf of the user as well
Clipper Chrome extension’s code that left it vulnerable, as grant access to sensitive user information on
potentially allowing threat actors to access personal affected third-party web pages and services, including
information from users’ online services. authentication, financials, private conversations in
social media, personal emails, and more.
Mitigating threats from malicious or unwanted extensions
is an integral part of how Guardio protects its users, able According to its security page, Evernote “periodically
to neutralize harmful extensions in real-time. Combined assesses its infrastructure and applications for
with strong anti-phishing capabilities, malicious ad vulnerabilities and remediates those that could impact
blocking and information leak monitoring. Guardio the security of customer data.”
bundles a complete online protection suite where it
matters most - your browser. As the trend to move to the cloud continues, the
browser is becoming the users’ de-facto OS - replacing
The vulnerability, a universal cross-site scripting (UXSS) where users use their applications and access their
marked CVE-2019-12592, was discovered as part of data. While app authors strive to provide faster,
Guardio’s ongoing security analysis efforts using a smoother user experiences, extensions usually have
combination of internal technology and researchers. permissions to access a trove of sensitive resources,
Guardio disclosed the vulnerabilities to Evernote during inadvertently posing a much greater security risk than
the last week of May, which prompted Evernote to traditional websites. Guardio’s protection comes into
address them and roll out a complete fix - within less play in these new potentially vulnerable threat areas.
than a week.
“The vulnerability we discovered is a testament to the
Due to Evernote’s widespread popularity, this issue had importance of scrutinizing browser extensions with
the potential of affecting its consumers and companies extra care. People need to be aware that even the most
who use the extension – about 4,600,000 users at the trusted extensions can contain a pathway for
time of discovery. attackers,” said Michael Vainshtein, CTO of the
browser-centric and cloud security company Guardio.
The logical coding error in the Web Clipper extension “All it takes is a single unsafe extension to compromise
could have allowed an attacker to bypass the browser’s anything you do or store online. The ripple effect is
same origin policy, granting the attacker code execution immediate and intense.” (Source: Guardio) ◊
privileges in Iframes beyond Evernote’s domain.
By MediaBUZZ
16 June 2019 - Cyber-security & Data Protection