Evernote’s Mac app had a vulnerability that could have allowed an attack to remotely launch malicious code …
TechCrunch explains the issue.
Mishra posted a video (below) on his blog demonstrating how it worked, where the user clicking on what appears to be a webpage link actually opens Calculator. He picked a harmless example for his proof of concept, but a bad actor could of course have done something much more worrying.
The bug could allow an attacker to remotely run malicious commands on any macOS computer with Evernote installed.
The security researcher notified Evernote and waited for them to fix it before disclosing the bug.
Evernote had a bug back in 2016 which could see images and other attachments lost from a note, and a privacy concern which the company resolved shortly after it came to light.
Since the fix went into effect, Evernote now warns users when they click a link that opens a file on their Mac.