Evernote’s Mac app could have allowed remote code execution; now fixed [Video]

Evernote’s Mac app had a vulnerability that could have allowed an attack to remotely launch malicious code …

TechCrunch explains the issue.

Dhiraj Mishra, a security researcher based in Dubai, reported the bug to Evernote on March 17. In a blog post showing his proof-of-concept, Mishra showed TechCrunch that a user only had to click a link masked as a web address, which would open a locally stored app or file unhindered and without warning […]

The bug could allow an attacker to remotely run malicious commands on any macOS computer with Evernote installed.

Mishra posted a video (below) on his blog demonstrating how it worked, where the user clicking on what appears to be a webpage link actually opens Calculator. He picked a harmless example for his proof of concept, but a bad actor could of course have done something much more worrying.

The security researcher notified Evernote and waited for them to fix it before disclosing the bug.

Evernote spokesperson Shelby Busen confirmed the bug had been fixed, and said the company “appreciates” the contributions from security researchers […]

Since the fix went into effect, Evernote now warns users when they click a link that opens a file on their Mac.

Evernote had a bug back in 2016 which could see images and other attachments lost from a note, and a privacy concern which the company resolved shortly after it came to light.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Check out 9to5Mac on YouTube for more Apple news:



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear