“In this case, due to the potential impact, we had patched the vulnerability and distributed a new release within 3 days of Guardio’s contacting us.” The Vulnerability “We have a robust security program which includes working with many external security researchers when we or a third-party discover vulnerabilities, we have a formal triage process that ensures that we appropriately prioritize and resolve/mitigate the vulnerability,” the spokesperson said. “At Evernote, we have not found any evidence that the vulnerability reported by Guardio has been exploited and Guardio does not believe that anyone took advantage of the bug,” an Evernote spokesperson told Threatpost. Evernote users are urged to update to version 7.11.1 or later. Researchers disclosed the flaw to Evernote on May 27 a fix was confirmed on June 4. “In their Proof-of-Concept (PoC), Guardio has demonstrated access to Social media (reading and posting content), Financial transaction history, private shopping lists, and more.” “Upon successful exploitation, a visit to a hacker-controlled website would compromise the visitor’s private data from affected 3rd-party websites,” researchers with Gaurdio, who discovered the flaw, said in an analysis this week. The Evernote extension is extremely popular, putting the personal data of than 4.6 million users at risk, researchers said. Specifically impacted was the Evernote Web Clipper extension for the Chrome browser, which lets users capture full-page article, images, selected text, emails and more. A critical flaw in the popular note-taking Evernote extension could have allowed attackers to steal personal data – including emails and financial transactions – of millions.
0 kommentar(er)
