Hey Folks, I am Jesse Lesperance and am the Head of Security at Evernote.
Jumping in with a couple of observations:
Here’s another piece of coverage [https://www.cyberscoop.com/evernote-patches-flaw-google-chrome-extension/] with more accurate and specific information. The original Guardio press release is here:https://www.prnewswire.com/news-releases/guardio-discovers-major-vulnerability-in-evernotes-chrome- extension-300866322.html
As mentioned in the CyberScoop coverage above, Guardio does not believe that anyone took advantage of the bug. At Evernote, we have not found any evidence that the vulnerability reported by Guardio has been exploited..
We have a robust security program which includes working with many external security researchers; when we or a third-party discover vulnerabilities, we have a formal triage process that ensures that we appropriately prioritize and resolve/mitigate the vulnerability. In this case, due to the potential impact, we had patched the vulnerability and distributed a new release within 3 days of Guardio’s contacting us.
Chrome Extensions are by default set to auto-upgrade precisely for these sorts of situations; consequently our patch was automatically applied to the vast majority of installed Chrome WebClippers.
If you are a user of the WebClipper Extension for Google Chrome, and you have changed the defaults on how your Chrome Extensions upgrade, you should ensure that you have v7.11.1 (or better) of the Chrome WebClipper Extension installed.