![]() People need to be aware that even the most trusted extensions can contain a pathway for attackers. Michael Vainshtein, CTO at Guardio, said: “The vulnerability we discovered is a testament to the importance of scrutinizing browser extensions with extra care. ![]() As the browser’s domain-isolation mechanisms were broken, code could be executed that could allow an attacker to perform actions on behalf of the user as well as grant access to sensitive user information on affected third-party web pages and services, including authentication, financials, private conversations in social media, personal emails, and more. Within a week, Evernote addressed the issue and rolled-out a complete fix.Īccording to Guardio: The logical coding error in the Web Clipper extension could have allowed an attacker to bypass the browser’s same origin policy, granting the attacker code execution privileges in Iframes beyond Evernote’s domain. The flaw, a universal XSS marked CVE-2019-12592 which could have allowed threat actors to extract personal information from the browser environment, was unearthed by security company Guardio and disclosed to Evernote in late May. A major flaw has been discovered in the code of the Web Clipper Chrome extension of note-taking service Evernote. ![]()
0 Comments
Leave a Reply. |