Buggy Evernote Extension Exposes Millions of Users

Well, it appears that 2019 has been officially nominated as the hacking year. This time is our lovable and handy Evernote or, as I like to call it, the best thing that ever happened to the taking down notes business.

Earlier this week, a company spokesperson revealed that due to a buggy Chrome extension, over 4 million users now have to change their passwords and check their bank accounts. No incidents have been recorded so far, but given the nature of the flaw, it’s only a matter of time before we see heads rolling.

How can someone steal personal data from a Chrome extension?

Guardio, the cybersecurity company who identified the vulnerability in the first place, said that Evernote’s Web Clipper, the buggy extension could have been used to steal personal info from users.

This includes emails, names, addresses, and financial transactions. Estimates show that over 4 million Evernote customers are at risk.

The timeline’s a little confusing – apparently, the issue was flagged down in late May by Guardio’s cybersecurity experts. However, it took Evernote more than one month to officially announce and address the issue.

Now, as far as the vulnerability is concerned, here’s how Guardio’s Proof-of-Concept explained it: Evernote’s Chrome extension allows users to select text and to screenshot and select full-page articles and pictures.

This is achieved via a JavaScript file which is ‘injected’ into the various webpages. Now, due to a logical coding error, the script’s function is left hanging. In turn, a hacker can seize the opportunity to inject malicious code into the webpage using this fluke.

The worst part is that users that they don’t even know that they are being stolen – the page loads normally, but behind the scenes, they are being redirected with iframe tags.

In other words, a hacker can use the extensions error against the system. Just by that, your entire Internet history, which includes cookies, credentials, and payment information can end up on the dark web.

The company announced that the issue had been resolved. However, the users are asked to update the software to the latest version (7.11) as soon as possible to prevent any future tampering attempts.

So, where does that leave us? Well, nowhere safe, truth be told. Chrome has hundreds, if not thousands of free and paid extensions and more on the way.

Evernote was a fortunate case because the company was able to identify and fix the issue before bad things started happening.

However, we mustn’t lose sight of the fact that more than 4 million accounts were exposed before the company had time to react.

The best thing right now would be to tiptoe around extensions – download only legit applications, be careful about what info you share, and try to curb the app’s permissions as much as you can.


Google and Guardio are working around the clock to determine who was behind the attack and to trace the stolen info.

Unfortunately, as in the case of many cyber attacks, it may be next to impossible to figure out who did it. So, what’s your take on this? Hit the comments section and let me know your thoughts.

About Daniel Sadler

Old-school PC gamer, poetry buff, cat lover, tech wiz. His writing career began almost two decades ago when he modestly acknowledged that hindsight or, lack thereof, can compromise security. He enjoys spending quality time with his friends and family. Most of his friends refer to Daniel as a "man of a few words, but, man, what words!" His interests include cybersecurity, IT, blogging, and, of course, everything related to technology.

Leave a Reply

Your email address will not be published. Required fields are marked *