Evernote Web Clipper Opera



Users of Evernote’s Web Clipper extension for Google Chrome should check it has been updated to the latest version after a security company published details of a dangerous security flaw.

  • 讀者推薦的最新軟體,更加厲害: 「pyTranscriber 影片自動上字幕免費軟體! 10分鐘搞定1小時影片」。 不久前在電腦玩物測試了:「YouTube 影片、錄音檔語音自動轉 Google 文件、翻譯文字檔」,在該文底下,一位台灣開發者「布丁布丁吃什麼」留言分享自己設計的一個工具:「 Web Speech to Text.
  • Sep 07, 2018 Convenient Web Clipper extension: The Evernote Web Clipper browser extension lets you capture web pages or parts of pages and pop them right into your Evernote account. Summary: Where Evernote may come in second for a completely simple interface, it makes up for with its features.
  • Millions of real salary data collected from government and companies - annual starting salaries, average salaries, payscale by company, job title, and city.
  • Web Clipper lets you save full webpages as you're browsing, add annotations & search all your web captures. Discover more ways to get the most out of Evernote! Evernote Web Clipper lets you save full page screen captures, annotate images, and search saved pages even when you're offline.

Watch on Evernote Web Clipper is a simple extension for your web browser that lets you capture full-page articles, images, selected text, important emails, and any web page that inspires you. Save everything to Evernote and keep it forever.

Discovered by Guardio in May, ‘dangerous’ in this context means that anyone using it in its unpatched state is at risk not only of a compromise of their Evernote account but, potentially, of third-party accounts (email, social media, banking) they have open at the same time.

Identified as CVE-2019-12592, it is a Universal Cross-Site Scripting (UXSS) flaw caused by a “logical coding error” that breaks the browser’s domain isolation protection.

From the description offered, exploiting it would require several steps, the first of which would be luring the user to a malicious or compromised website.

The attack would then load iFrame tags targeting specific services, hijacking Evernote to inject payloads into all iFrames:

Injected payload is customized for each targeted website, able to steal cookies, credentials, private information, perform actions as the user and more.

To demonstrate the danger, Guardio developed a proof-of-concept to show that it was possible to exploit the vulnerability to steal user data under real-world conditions.

Evernote

Who is – and isn’t – affected?

Only the 4.6 million users of the Chrome extension need update (as far as we know, users of the Firefox, Opera, and Edge equivalents are unaffected).

You’ll know you’re one of those if Chrome says the installed Evernote Web Clipper is earlier than the patched version, 7.11.1, released on 31 May 2019.

Chrome should have updated to this automatically, but a manual update can be carried out by accessing the extensions panel (chrome://extensions) and engaging the developer slider on the right-hand side. That causes the extensions ‘update’ button to appear.

Commendably, Evernote fixed and shipped the patched version only three days after being told about it, which is exactly what companies should do in these circumstances.

Web

Extension risks

Web clipping extensions are a wonderful invention for anyone who wants to store screenshots, or save and annotate web content, in this case storing it in their Evernote account.

However, doing this requires permissions, which is where the increased risk comes in. As Guardio says:

This vulnerability is a testament to the importance of treating browser extensions with extra care and only installing extensions from trusted sources.

And that’s before factoring in the possibility of malicious extensions that are found on Google’s Chrome Web Store more often than they should be.

Evernote Web Clipper Safari

As with Evernote, legitimate extensions have also had their weaknesses, such as the one affecting Grammarly in 2018.

We’d recommend installing as few extensions as possible and, most critical of all, checking the permissions they ask for, not only on Chrome but on any browser.

On Chrome this is done via Extensions > Details, while on Firefox permissions are listed when the user clicks the ‘Add to Firefox’ button. For Opera, it’s Extensions > Information.

Google uses cookies and data to:
  • Deliver and maintain services, like tracking outages and protecting against spam, fraud, and abuse
  • Measure audience engagement and site statistics to understand how our services are used
If you agree, we’ll also use cookies and data to:

Evernote Web Clipper And Microsoft Edge

  • Improve the quality of our services and develop new ones
  • Deliver and measure the effectiveness of ads
  • Show personalized content, depending on your settings
  • Show personalized or generic ads, depending on your settings, on Google and across the web
For non-personalized content and ads, what you see may be influenced by things like the content you’re currently viewing and your location (ad serving is based on general location). Personalized content and ads can be based on those things and your activity like Google searches and videos you watch on YouTube. Personalized content and ads include things like more relevant results and recommendations, a customized YouTube homepage, and ads that are tailored to your interests.

Evernote Web Clipper Opera Download

Click “Customize” to review options, including controls to reject the use of cookies for personalization and information about browser-level controls to reject some or all cookies for other uses. You can also visit g.co/privacytools anytime.