![]() ![]() When exploring a Google Chrome browser extension, the first place that I start is with the manifest.json file. Thanks and credit to the Evernote team for a quick triage and fix, especially over the festive period. 15/01/18 - WebClipper 6.13.2 RC released for testing of security fix.10/01/18 - Confirmation that issue had been reproduced and Evernote are working on a fix.10/01/18 - Email from Evernote explaining that previous emails had been intercepted by spam filter, and confirming receipt of security issue.10/01/18 - Follow-up email confirming that initial email sent on 28/12/17 was received. ![]() In this post we will walk through a vulnerability identified, and show how improper handling of window messages can allow an attacker to inject JavaScript into the DOM of any web application. The extension also proves to be quite popular: WebClipper is a browser extension, which allows a user to extract and store webpage contents, videos, images etc. « Back to home Universal XSS via Evernote WebClipperĭuring an evening of bug hunting, I found a cool issue in Evernote’s WebClipper tool. ![]()
0 Comments
Leave a Reply. |