We took notice a couple of weeks ago when it was reported that a major flaw had been found in a popular browser extension for Chrome. Evernote’s Web Clipper Chrome extension is a note-taking service that has over 4.6 million users. A cross-site scripting vulnerability in the extension would have permitted attackers to bypass Chrome’s same-origin policy (SOP) and included a flaw that could have potentially allowed hackers to access active sessions of other websites in the same browser. Evernote has issued an update (version 7.11.1) that addresses the flaw. An article from Hacker News outlines all of the details and includes a short video showing a Proof-of-Concept (PoC) exploit demonstrating how someone could inject a payload on a targeted website using the extension.
As we mentioned in our blog Exploiting Browser Extensions Compromise Corporate Networks back in March, even though browser extensions act like web applications they aren’t always bound by the SOP that normally prevents web apps from accessing data from other web applications. This reinforces the need for employees and security organizations to be aware of the possible danger’s browser extensions can present.
Browser extension vulnerabilities and other rogue software programs or apps can be recognized quickly with SlashNext Real-Time Phishing Threat Intelligence. It works across all phishing attack vectors including email, pop-ups, ads, search, social media, IM, rogue apps, and more. It also covers all six major categories of phishing and social engineering threats and identifies live zero-hour threats in real-time allowing organizations to respond in real-time with automated blocking through integration with their firewall. With more people using browser extensions than ever to make their life easier, there’s more reason for security teams to be concerned about what corporate network and data exposure is taking place.
See what phishing threats you’re missing. Contact us for a demo or try SlashNext Real-Time Phishing Threat Intelligence free for 15 days