TechCrunch Desktop Logo
TechCrunch Mobile Logo

Evernote fixes macOS app bug that allowed remote code execution

Zack Whittaker

Evernote has fixed a vulnerability that could have allowed an attacker to run malicious code on a victim’s computer.

Dhiraj Mishra, a security researcher based in Dubai, reported the bug to Evernote on March 17. In a blog post showing his proof-of-concept, Mishra showed TechCrunch that a user only had to click a link masked as a web address, which would open a locally stored app or file unhindered and without warning.

Evernote spokesperson Shelby Busen confirmed the bug had been fixed, and said the company “appreciates” the contributions from security researchers.

The researcher ‘popped calc’ as a way to demonstrate a remote code execution bug in Evernote (Image: supplied)

MITRE, the vulnerability database keeper, issued an advisory under CVE-2019-10038.

The bug could allow an attacker to remotely run malicious commands on any macOS computer with Evernote installed. Since the fix went into effect, Evernote now warns users when they click a link that opens a file on their Mac.

A similar local file path traversal bug was revealed Tuesday in Electronic Arts’ Origin gaming client.

Evernote was forced to reset close to 50 million passwords after a breach in 2013, and later caused controversy by changing its privacy policy that allowed employees to access user data. The company later walked back the policy change after user complaints.

Techcrunch event

Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025

Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.

Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025

Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.

San Francisco | October 27-29, 2025
REGISTER NOW

Security flaw in EA’s Origin client exposed gamers to hackers

Topics

, , , , , , , , , ,
Zack Whittaker

Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security.

He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com.

View Bio
October 27-29, 2025
San Francisco


ONE-WEEK BUNDLE FLASH SALE

Founder Bundle Offer: Land your investor and sharpen your pitch. Save 15% when you bring 4-9 founders.

Investors Bundle Offer: Discover your next breakout startup. Save 20% when you bring 4-9 investors.

Bundle offer ends October 3.

Register Now
Loading the next article
Error loading the next article