A critical vulnerability in Evernote’s Web Clipper Chrome extension recently allowed hackers to steal data present in active web sessions. Web Clipper, an extension that allows users to save screenshots of webpages, emails, images, articles, etc., had a vulnerability that provided hackers with easy access to the websites accessed by its 4.5 million users before it was fixed on May 31, 2019.
How the vulnerability works
Same-origin policy is a security mechanism that restricts interaction between resources from different origins. This mechanism helps isolate potentially malicious resources, reducing possible cyberattacks. The vulnerability in Evernote’s Web Clipper extension, named CVE-2019-12592, allowed hackers to bypass the same-origin policy; this meant that hackers could read, change, and steal data accessed on the browsers, and enable Universal Cross-Site Scripting on Chrome.
Impact of the vulnerability on organizations
Browsers have become an indispensable tool in most work environments, allowing users to get work done using cloud-based applications. The vulnerability in Web Clipper exposed sensitive enterprise data accessed by its users via Chrome browsers to hackers, putting many organizations at risk of data breaches.
With close to 8,500 extensions in the web store, many with similar vulnerabilities capable of leading to a data breach, how do know which extensions are harmful? And how do you prevent users from installing vulnerable extensions in your network? Finding and eliminating browser vulnerabilities is a challenge, but with the right tools, it can be easy.
ManageEngine Browser Security Plus is enterprise security software that helps prevent web-based cyberattacks. Browser Security Plus’ add-on management feature provides insights on the various extensions present in your network, including which among those are harmful. You can disable harmful extensions to keep your network free from browser-based vulnerabilities.
Alternatively, you can whitelist extensions you know and trust, ensuring that only those extensions you’ve whitelisted are present in your network. Users will not be able to install any extension that’s not on this list, and if the extension is already present on a machine before the whitelist is implemented, it will be disabled.
Browser Security Plus also comes with a provision to create your own extension repository. You can add and maintain a repository of mission-critical extensions, and distribute the extensions to computers as needed.
Try out Browser Security Plus free for 30 days today!