Evernote Web Clipper suffered from a same-origin policy bypass vulnerability. The link to the demo exploit was a 403 at the time of addition and has not been included in this post.
edeb6d56c9d50dfe6a6599592c18c494c4d5dc6ad6ea545586270e0e19511589
evernote: extension allows cross-origin iframe communication
I happened to notice that the Evernote Web Clipper (3,000,000+ users) allows any website to bypass the same origin policy.
https://chrome.google.com/webstore/detail/evernote-web-clipper/pioclpoplcdbaefihamjohnefbikjilc
If you send a message like window.postMessage({type: \"EN_request\", name: \"EN_SerializeTo\", data: { frameName: id }), the frame DOM is collected and then posted back to the top window.
I made a quick demo exploit: https://lock.cmpxchg8b.com/oov6Wahv.html
I notice the evernote website requests that all vulnerabilities are submitted via HackerOne, but I'm unwilling to do that.
https://evernote.com/security/report-issue
I'll send a report to the Chrome Webstore policy team instead, who can handle contacting the registered developer.
Found by: [email protected]