


In reality I am sitting on my desk in Germany, and use a PC to go and steal your data. Now you have got what you would see later: An access from Singapore with an Android device to your account. OK, so I use some software that will virtually convert my PC into an Android, Samsung S5, together with all false device and SW fingerprints. Not good enough, because several data from my PC would be transmitted as well, that could be used for fingerprinting my device. What would you see ? An access from Singapore. What would I do ?Īctivate my VPN, switch the country to say Singapore, which builds a VPN tunnel from my PC to Singapore, and enter your account data. Now I am going to attack your account (if I had your credentials, which I don't have, and if I had any intention to do so, which I don't have), but want to cloak my location. Just to make it a little easier than the academic explanation, I tell it as a story: If you are a user of the WebClipper Extension for Google Chrome, and you have changed the defaults on how your Chrome Extensions upgrade, you should ensure that you have v7.11.1 (or better) of the Chrome WebClipper Extension installed. In this case, due to the potential impact, we had patched the vulnerability and distributed a new release within 3 days of Guardio’s contacting us.Ĭhrome Extensions are by default set to auto-upgrade precisely for these sorts of situations consequently our patch was automatically applied to the vast majority of installed Chrome WebClippers. We have a robust security program which includes working with many external security researchers when we or a third-party discover vulnerabilities, we have a formal triage process that ensures that we appropriately prioritize and resolve/mitigate the vulnerability. At Evernote, we have not found any evidence that the vulnerability reported by Guardio has been exploited. The original Guardio press release is here: extension-300866322.htmlĪs mentioned in the CyberScoop coverage above, Guardio does not believe that anyone took advantage of the bug.

Here’s another piece of coverage with more accurate and specific information. Jumping in with a couple of observations: Hey Folks, I am Jesse Lesperance and am the Head of Security at Evernote.
