The vulnerability means that on the surface, it looks like the popups and advertisements are coming from the websites users are visiting, when they are actually coming from the fake Evernote web extension.
Researchers at the company discovered the vulnerability in a "multi-plug PUP" file, which installs the fake Evernote browser extension.
"A quick look shows the PUP is digitally signed by 'Open Source Developer, Sergei Ivanovich Drozdov', although the certificate has since been revoked by the Issuer. This serves as another reminder that you can't always trust a program just because it's digitally signed," said Malwarebytes malware intelligence analyst Joshua Cannell in an email sent to The INQUIRER.
"Clicking 'Visit website' directs the user to the Chrome webstore page for the actual Evernote Web extension," Cannell added. "Chrome believes the real extension is installed, as verified by the Launch App button. When clicking this button with the fake extension installed, nothing happens, whereas normally the user is met with an Evernote login screen."
Cannell explained that this is because the extension uses a content script to run in the context of the webpages a user browses.
"The content script is guaranteed to be loaded into every web page using the extension manifest (manifest.json). When visiting webpages, you'll get a series of annoying advertisements, all leading to potentially more unwanted programs and offers," he added.
To remove the extension, Chrome users need to visit the extensions tab in the browser and click the picture of a garbage can.
Evernote hit the headlines for its security concerns last year when it emerged that its network had been compromised by hackers.
The online note-taking service issued a password reset for all users after the discovery. It said that it "discovered and blocked" suspicious activity on its network, but claimed that no user data was compromised during the intrusion.
"In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost," Evernote said. µ