Evernote Web Clipper Same-Origin Policy Bypass

Credit: Tavis Ormandy
Risk: Medium
Local: No
Remote: Yes

evernote: extension allows cross-origin iframe communication I happened to notice that the Evernote Web Clipper (3,000,000+ users) allows any website to bypass the same origin policy. https://chrome.google.com/webstore/detail/evernote-web-clipper/pioclpoplcdbaefihamjohnefbikjilc If you send a message like window.postMessage({type: \"EN_request\", name: \"EN_SerializeTo\", data: { frameName: id }), the frame DOM is collected and then posted back to the top window. I made a quick demo exploit: https://lock.cmpxchg8b.com/oov6Wahv.html I notice the evernote website requests that all vulnerabilities are submitted via HackerOne, but I'm unwilling to do that. https://evernote.com/security/report-issue I'll send a report to the Chrome Webstore policy team instead, who can handle contacting the registered developer. Found by: taviso@google.com

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com


Back to Top