Security Week 25: Evernote vulnerability and hundreds of hacked online stores

    Guardio specialists discovered ( news , research ) an interesting vulnerability in Evernote. More precisely, not in the application for storing notes, but in the extension for the Google Chrome browser. Evernote Web Clipper allows you to save web pages, both in whole or in part, and can also add comments on top of the original content.


    This rather broad functionality has led to the need to embed code on all pages visited by the user, if he has the Evernote extension installed. Initially, a small script provides additional code loading if the user decides to save the page. As it turned out, this very loading of the code was not really checked, which theoretically allowed the attacker to receive private user data from other resources; it was enough to open the prepared page. Fortunately, the threat remained theoretical: the problem was closed, evidence of its use for real attacks was not found.


    The attacking web page, in addition to the visible content, includes several hidden frames that access sites with private data (as shown in the video above, these are Facebook and PayPal pages). The Evernote extension will add its own script to the code of such a page, which is responsible for further loading the code into all frames. The problem is that the source of the code is not checked properly and can be replaced with the code of the attacker.


    User intervention (for example, activation of any extension functions) is not required. It is enough to open the modified page, and information from hidden iframe-elements will begin to be transmitted to the attacker. This is how a specific version of Proof of Concept works, other options are possible. The vulnerability resembles a problem discovered and closed last year in the extension of Grammarly, a spell-checking service. In that case, Grammarly authorization tokens were available to any other website, so anyone could log in to the service and gain access to user information (more about this vulnerability here) Both services really need to modify the source code of web pages, but you should be careful when implementing such functionality.

    Half a million vulnerable sites, 1700 hacked online stores


    Foregenix published the results of a study of website security ( news , company blog post ). Of the nearly nine million sites monitored regularly, according to Foregenix, about half a million have serious vulnerabilities. Specific criteria for separating serious problems from non-serious ones are not disclosed, but it is indicated that only those where known vulnerabilities with a CVSS rating of more than 7 points are found in the selection of problem sites. It is not entirely clear how even such vulnerabilities are exploited in practice, but sometimes it is useful to estimate such a "mean temperature in a hospital."

    Separately investigated online stores - sites where one way or another implemented the reception of payments from users. Magento is recognized as the most vulnerable CMS platform for online stores: 86.5% of sites working on it have serious vulnerabilities. Of the 1,700 sites where scripts were discovered to steal users' billing information, about a thousand work on Magento, most of them located in North America. According to the company conducting the study, attacked websites find out about a security hole in average 5.5 months after hacking.

    CMS Magento became notorious last year when cybercriminals from the Magecart group began to massively attackvulnerable sites by installing scripts on them to steal the payment data entered by the user when paying. A typical principle of such a skimmer was to open a fake window for entering a credit card number and other information. Such a window was displayed on top of a legitimate form for entering information.

    A large-scale attack in 2018 exploited a vulnerability that was discovered and closed in 2016. Alas, many sites have not been updated in two years, so the estimate of Foregenix (~ 1000 of the 200 thousand infected sites using Magento) is even conservative. Last October, the researcher Willem de Grot, who monitors Magecart, counted 7 thousand sites with a skimmer installed.


    Speaking of ancient vulnerabilities. Microsoft warns of a fresh spam wave of infected .RTF files that exploit a vulnerability in Microsoft Office that was discovered and closed in 2017. The problem is present in versions from 2007 to 2016, and patches were issued for all variants. Opening an infected document in a vulnerable version of Office results in a backdoor being downloaded and installed on the system. Do not forget to upgrade.

    Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend treating any opinions with healthy skepticism.

    Also popular now: