Rich Tener 86 Posted April 3, 2018 Share Posted April 3, 2018 Hi everyone, I lead Evernote's security team. We recently received reports from a small number of users that they had discovered unauthorized access on their account from a third-party app called "Geeknote". We believe that someone has learned these users’ passwords from a website or service not associated with Evernote. Our security team investigated these reports and found that Geeknote was being used by malicious actors to automate access to our service. We care about the security of Evernote customers, so we’ve revoked the app from our service to disrupt the abuse and protect customers. If you were previously a Geeknote user, we've emailed you directly to explain this change. If we detected unauthorized access on your account, we've also emailed you and reset your password. If you have not received either email notification from us, then you are likely not impacted. We recommend that you always use a unique password on your Evernote account and setup two-factor authentication to better protect it. See https://evernote.com/security/tips for more tips on how to secure your account. To understand more about Evernote and third-party applications visit: https://evernote.com/privacy/third-party-apps 2 1 Link to comment
zingbretsen 0 Posted April 3, 2018 Share Posted April 3, 2018 Just to clarify, the malicious actors were just using Geeknote? Or do you believe that Geeknote itself is somehow compromised? Link to comment
Rich Tener 86 Posted April 3, 2018 Author Share Posted April 3, 2018 14 minutes ago, zingbretsen said: Just to clarify, the malicious actors were just using Geeknote? Or do you believe that Geeknote itself is somehow compromised? @zingbretsen that's correct. The malicious actors were just using Geeknote. 1 1 Link to comment
pva 1 Posted April 3, 2018 Share Posted April 3, 2018 Thanks for notification! Do I understand correcty that now I'm unable to use evernote with vim? Looks like I have to try simplenote sooner than expected. 1 Link to comment
jeff.kowalski 13 Posted April 3, 2018 Share Posted April 3, 2018 I maintain a geeknote fork. @Rich Tener, I don't understand the action. Geeknote simply uses the approved API to access the service via commandline. Is there a security problem with the program itself? Shutting it off now limits the functionality of legitimate users without recourse. What's the next step? 3 Link to comment
ballard 3 Posted April 3, 2018 Share Posted April 3, 2018 Also, to add to this: since the security concern is not related to Geeknote (or the forks), it seems to be an overreaction to ban the entire use of the tool just because it was used by bad actors. It would be akin to saying you would ban the Windows client for everyone because a some sets of compromised credentials were used with it (which I'm sure compromised credentials have been used with the Windows client too) I get that Geeknote and/or Linux isn't nearly as widely used as the other platforms. Is there an Evernote client option for Linux? ...that isn't the web client? 2 Link to comment
skshim 0 Posted April 3, 2018 Share Posted April 3, 2018 Thanks for notification. but actually I could not use geeknote because some F2A problem. I wanted to fix that but failed... However I always want to use evernote using command line or vim or any other editor on Linux. I know this page is not for requesting, could you consider release official linux client? Link to comment
Level 5* jefito 5,587 Posted April 4, 2018 Level 5* Share Posted April 4, 2018 1 hour ago, ballard said: I get that Geeknote and/or Linux isn't nearly as widely used as the other platforms. Is there an Evernote client option for Linux? ...that isn't the web client? Not from Evernote, but: https://sourceforge.net/projects/nevernote/. 2 Link to comment
Level 5* jefito 5,587 Posted April 4, 2018 Level 5* Share Posted April 4, 2018 20 minutes ago, skshim said: I know this page is not for requesting, could you consider release official linux client? This is one of several: Add your vote... 1 Link to comment
ballard 3 Posted April 4, 2018 Share Posted April 4, 2018 39 minutes ago, jefito said: Not from Evernote, but: https://sourceforge.net/projects/nevernote/. This is true, however, Geeknote did not cause a security incident. Unless something non-public occurred, from what we have been told (above): 4 hours ago, Rich Tener said: @zingbretsen that's correct. The malicious actors were just using Geeknote. ...What will stop the miscreants from using NixNote (or any other) client non-official client? When a compromised account is found on another non-official client, my fear is that Evernote will ban those as well. This is very ominous sign for non-official clients. 36 minutes ago, jefito said: This is one of several: Add your vote... Added, thanks. Link to comment
Rich Tener 86 Posted April 4, 2018 Author Share Posted April 4, 2018 @ballard there were a couple issues going on. The first is that Geeknote doesn't comply with our API license, which requires the developer to protect their consumer secrets. Geeknote is a standalone app, so the secret is in the source code (config.py). To properly protect it, the developer needs to remove it from the source code and set up a web service to authenticate users. In situations where someone is using an app to abuse our service, we work with the developer to stop new logins on their infrastructure. With Geeknote, we can't do that because there is no infrastructure. We also couldn't reach the original developer that registered the API key. There is a path forward. For standalone apps like Geeknote, we support a downloadable personal authentication token called a developer token (http://dev.evernote.com/doc/articles/dev_tokens.php). With some app modifications, you can use this personal developer token to authenticate Geeknote to your account. We've had abuse issues with dev tokens in the past, so we whitelist who can use them. Before we revoked Geeknote from our service, we enabled dev token downloads for everyone that had been using Geeknote. Jeff Kowalski, the maintainer of the forked version, has reached out to us and we are working with him on a path forward to get Geeknote working again. 3 Link to comment
jeff.kowalski 13 Posted April 4, 2018 Share Posted April 4, 2018 Thank you @Rich Tener and team for the swift help. And thank you sincerely for your vigilance in protecting users against intrusion as well as insecure code. I'm impressed that you cross-posted to the geeknote forks as well as posting on this forum page. It's clear that you were striving for transparency and support. To the Community: While I'm not the original author of geeknote, I've been maintaining an active branch at https://github.com/jeffkowalski/geeknote. In the original source from which I forked, the consumer key and secret were checked into github, and since that can't be erased from the master record, that's a persistent source of problem that can only be addressed by disabling those credentials. I support Evernote's decision to disable access via those credentials. As Rich points out, there is good news. We can generate and successfully use personal developer tokens immediately to regain access individually. Furthermore, moving forward there's the opportunity for a proper OAuth implementation. Please see https://github.com/jeffkowalski/geeknote/issues/89 for a bit more discussion. In short, to get going again, it's sufficient to set the EVERNOTE_DEV_TOKEN environment variable to your own newly acquired developer token before invoking geeknote once again as usual. For the longer-term solution, I solicit and welcome suggestions and coding help in implementing the proper OAuth solution that will make geeknote accessible again to users more broadly. Please take those suggestions and pull requests over to the github site. Thank you, Jeff 4 Link to comment
Pierre François 0 Posted April 4, 2018 Share Posted April 4, 2018 3 hours ago, jeff.kowalski said: In short, to get going again, it's sufficient to set the EVERNOTE_DEV_TOKEN environment variable to your own newly acquired developer token before invoking geeknote once again as usual. I got a new developers token and tried to invoke geeknote as follows, but I get no output: EVERNOTE_DEV_TOKEN='my-token-here'; geeknote notebook-list but I get no output. Do I need to login again? Link to comment
Level 5* jefito 5,587 Posted April 4, 2018 Level 5* Share Posted April 4, 2018 11 hours ago, ballard said: This is true, however, Geeknote did not cause a security incident. Unless something non-public occurred, from what we have been told (above): Um, not sure what this means You asked the following: "Is there an Evernote client option for Linux?" In my reply, I cited NixNote, which is an Evernote client (software that uses the Evernote service), though not an Evernote-written client. Ambiguous question, possibly, but answered unambiguously, and nothing to do with Geeknote or any security incident (or non-incident). Link to comment
compromised 0 Posted April 4, 2018 Share Posted April 4, 2018 My access history has a lot of unathorized access from Geeknote and I have reset my password. Does this mean all my notes and data in Evernote has been compromised? I have some credentials and personal details in it. Link to comment
Rich Tener 86 Posted April 4, 2018 Author Share Posted April 4, 2018 @compromised if you discovered unauthorized access to your account, someone had access to everything in it. We don't know exactly what the malicious actors are looking for, but based on previous investigations, we believe they are searching for cryptocurrency wallet credentials. I suggest rotating any credentials you had stored in your notes and looking at a purpose-built password manager to store those moving forward. 1 Link to comment
ballard 3 Posted April 4, 2018 Share Posted April 4, 2018 @Rich Tener and @jeff.kowalski, thank you for your responses, those make perfect sense. @jefito sorry for my less-than-straightforward answer. My worries were that something like NixNote could be banned too, but the other responses have addressed that worry. @compromised: beyond what the others have said, I might suggest turning on Multi-factor authentication. 1 Link to comment
jeff.kowalski 13 Posted April 5, 2018 Share Posted April 5, 2018 @Pierre François It's best to post support questions for geeknote over on github, as I see you have, and not cross-post here. This forum isn't monitored for geeknote support. You'll find suggestions to address your problem over on the github issue. Hope it helps. Cheers, Jeff Link to comment
Pierre François 0 Posted April 5, 2018 Share Posted April 5, 2018 11 hours ago, jeff.kowalski said: @Pierre François It's best to post support questions for geeknote over on github, as I see you have, and not cross-post here. This forum isn't monitored for geeknote support. You'll find suggestions to address your problem over on the github issue. Hope it helps. Cheers, Jeff OK. Got it. Thank you. Link to comment
ferrouswheel 14 Posted April 8, 2018 Share Posted April 8, 2018 On 4/4/2018 at 9:41 PM, Pierre François said: I got a new developers token and tried to invoke geeknote as follows, but I get no output: EVERNOTE_DEV_TOKEN='my-token-here'; geeknote notebook-list but I get no output. Do I need to login again? Remove the semicolon in your command line if you want geeknote to be able to see that environment variable. Link to comment
Forceflow 0 Posted April 18, 2018 Share Posted April 18, 2018 I'd like to generate a dev token, but the form won't let me ("currently disabled") Link to comment
Trishuryu 0 Posted May 2, 2018 Share Posted May 2, 2018 How can I create multiple notes in sequence at once ? Let me know other tool to replace a useful geeknote ? Link to comment
Emptied 0 Posted May 14, 2018 Share Posted May 14, 2018 Hi there. I'm a Linux System Architect, which means I work from the CLI a lot and have more than a passing knowledge of security. I frequently have a need to add notes out of a terminal, and copy/paste is not my favorite activity. I'm not pleased about the lack of CLI tools in Evernote. I run OSX and don't particularly feel like figuring out how to write Applescript to accomplish CLI note access. After reading this thread, I fail to see how Geeknote is doing anything that any other client or integration could be doing or, for that matter, a sufficiently coded TamperMonkey script or something. It seems to me like there are far more effective methods that could be used to slow or block unauthorized access to accounts that would not punish legitimate customers that want to use geeknote. Perhaps you could just generate oAuth tokens like you do with developer API tokens, and include a security disclaimer about storing said tokens? Alternately, adding CLI tools to the Evernote for Mac client would scratch my particular itch, but clearly there are lots of linux users that want access to their notes from the CLI too. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now