Jump to content

Jesse P Lesperance

Ex Employees
  • Posts

    2
  • Joined

  • Last visited

Everything posted by Jesse P Lesperance

  1. Just a little bit of clarity on the IP from the US: The 35.199.x.x IP address is allocated to Google Cloud where Evernote hosts our infrastructure. What you are seeing is a piece of normal communication with one of our systems which is currently being misreported as an account access. We are aware of the issue and are working internally to resolve the bug.
  2. Hey Folks, I am Jesse Lesperance and am the Head of Security at Evernote. Jumping in with a couple of observations: Here’s another piece of coverage [https://www.cyberscoop.com/evernote-patches-flaw-google-chrome-extension/] with more accurate and specific information. The original Guardio press release is here:https://www.prnewswire.com/news-releases/guardio-discovers-major-vulnerability-in-evernotes-chrome- extension-300866322.html As mentioned in the CyberScoop coverage above, Guardio does not believe that anyone took advantage of the bug. At Evernote, we have not found any evidence that the vulnerability reported by Guardio has been exploited.. We have a robust security program which includes working with many external security researchers; when we or a third-party discover vulnerabilities, we have a formal triage process that ensures that we appropriately prioritize and resolve/mitigate the vulnerability. In this case, due to the potential impact, we had patched the vulnerability and distributed a new release within 3 days of Guardio’s contacting us. Chrome Extensions are by default set to auto-upgrade precisely for these sorts of situations; consequently our patch was automatically applied to the vast majority of installed Chrome WebClippers. If you are a user of the WebClipper Extension for Google Chrome, and you have changed the defaults on how your Chrome Extensions upgrade, you should ensure that you have v7.11.1 (or better) of the Chrome WebClipper Extension installed.
×
×
  • Create New...