Evernote Flaw Allowed Hackers to Create XSS Vulnerability and Steal Data

March 3, 2019
Evernote for Windows

A researcher who uses the online moniker Sebao identified a stored XSS flaw in the Evernote app. He found that when a picture was added to a note and later renamed, JavaScript code could be added instead of a name. If the note was shared with another Evernote user, the code would get executed when the recipient clicked on the picture.

Evernote has fixed a defect in the Microsoft Windows adaptation of the application which allowed put away XSS assaults to happen.


The helplessness, CVE-2018-18524, has been settled in Evernote for Windows 6.16.1 beta.


The primary security blemish affected Evernote for Windows 6.14 and was found by TongQing Zhu from the Knownsec 404 group.


As portrayed in a blog entry a week ago, the cross-website scripting (XSS) issue was revealed as nearby documents – including win.ini and calc.exe – could be perused.


Evernote allowed the utilization of characters and expressions, for example, “onclick = “alert(1) ” when renaming and opening picture documents, and it was this absence of approval which allowed the scientist to make a put away XSS.


XSS is a typical assault vector for everything from program sessions to versatile applications. While reflected XSS assaults will bob a pernicious content onto a perusing session, put away XSS assaults are the more hazardous of the two as it enables malignant contents to be infused specifically into a program or other type of programming.


Effective XSS assaults can prompt record bargain, program commandeering, and the execution of malware payloads through endeavor packs.


For Evernote’s situation, in any case, the analyst investigated further and discovered that he was likewise ready to stack Nodejs code by put away XSS under Present mode in Evernote for Windows 6.15 – and the pernicious records could be imparted to different records by means of work talks, prompting code execution.


Known sec 404 found the imperfections on September 27, detailing its discoveries to Evernote around the same time. Evernote immediately affirmed the bugs and settled them in October amid the application’s most recent refresh, Evernote for Windows 6.16.1 beta.


About the author

Leave a Reply