We have disabled the Geeknote app for all Evernote accounts

[Rich Tener 86]

Hi everyone, I lead Evernote's security team. We recently received reports from a small number of users that they had discovered unauthorized access on their account from a third-party app called "Geeknote". We believe that someone has learned these users’ passwords from a website or service not associated with Evernote.

Our security team investigated these reports and found that Geeknote was being used by malicious actors to automate access to our service. We care about the security of Evernote customers, so we’ve revoked the app from our service to disrupt the abuse and protect customers.

If you were previously a Geeknote user, we've emailed you directly to explain this change.

If we detected unauthorized access on your account, we've also emailed you and reset your password.  

If you have not received either email notification from us, then you are likely not impacted.

We recommend that you always use a unique password on your Evernote account and setup two-factor authentication to better protect it. See https://evernote.com/security/tips for more tips on how to secure your account.

To understand more about Evernote and third-party applications visit: https://evernote.com/privacy/third-party-apps
 

[zingbretsen 0]

Just to clarify, the malicious actors were just using Geeknote? Or do you believe that Geeknote itself is somehow compromised?

[Rich Tener 86]

14 minutes ago, zingbretsen said:

Just to clarify, the malicious actors were just using Geeknote? Or do you believe that Geeknote itself is somehow compromised?

@zingbretsen that's correct. The malicious actors were just using Geeknote.

[pva 1]

Thanks for notification! Do I understand correcty that now I'm unable to use evernote with vim? Looks like I have to try simplenote sooner than expected.

[jeff.kowalski 14]

I maintain a geeknote fork.

@Rich Tener, I don't understand the action.  Geeknote simply uses the approved API to access the service via commandline.  Is there a security problem with the program itself?  Shutting it off now limits the functionality of legitimate users without recourse. 

What's the next step?

[ballard 3]

Also, to add to this: since the security concern is not related to Geeknote (or the forks), it seems to be an overreaction to ban the entire use of the tool just because it was used by bad actors.  It would be akin to saying you would ban the Windows client for everyone because a some sets of compromised credentials were used with it (which I'm sure compromised credentials have been used with the Windows client too)

I get that Geeknote and/or Linux isn't nearly as widely used as the other platforms.  Is there an Evernote client option for Linux?  ...that isn't the web client?

[skshim 0]

Thanks for notification. but actually I could not use geeknote because some F2A problem. I wanted to fix that but failed... 

However I always want to use evernote using command line or vim or any other editor on Linux.

I know this page is not for requesting, could you consider release official linux client? 

[jefito 5,589]

1 hour ago, ballard said:

I get that Geeknote and/or Linux isn't nearly as widely used as the other platforms.  Is there an Evernote client option for Linux?  ...that isn't the web client?

Not from Evernote, but: https://sourceforge.net/projects/nevernote/.

[jefito 5,589]

20 minutes ago, skshim said:

I know this page is not for requesting, could you consider release official linux client? 

This is one of several: 

Add your vote...

[ballard 3]

39 minutes ago, jefito said:

Not from Evernote, but: https://sourceforge.net/projects/nevernote/.

This is true, however, Geeknote did not cause a security incident. Unless something non-public occurred, from what we have been told (above):

4 hours ago, Rich Tener said:

@zingbretsen that's correct. The malicious actors were just using Geeknote.

 ...What will stop the miscreants from using NixNote (or any other) client non-official client?  When a compromised account is found on another non-official client, my fear is that Evernote will ban those as well.  This is very ominous sign for non-official clients.

 

 

36 minutes ago, jefito said:

This is one of several: 

Add your vote...

Added, thanks.

[Rich Tener 86]

@ballard there were a couple issues going on. The first is that Geeknote doesn't comply with our API license, which requires the developer to protect their consumer secrets. Geeknote is a standalone app, so the secret is in the source code (config.py). To properly protect it, the developer needs to remove it from the source code and set up a web service to authenticate users. In situations where someone is using an app to abuse our service, we work with the developer to stop new logins on their infrastructure. With Geeknote, we can't do that because there is no infrastructure. We also couldn't reach the original developer that registered the API key.

There is a path forward. For standalone apps like Geeknote, we support a downloadable personal authentication token called a developer token (http://dev.evernote.com/doc/articles/dev_tokens.php). With some app modifications, you can use this personal developer token to authenticate Geeknote to your account.

We've had abuse issues with dev tokens in the past, so we whitelist who can use them. Before we revoked Geeknote from our service, we enabled dev token downloads for everyone that had been using Geeknote. 

Jeff Kowalski, the maintainer of the forked version, has reached out to us and we are working with him on a path forward to get Geeknote working again.

[jeff.kowalski 14]

Thank you @Rich Tener and team for the swift help.  And thank you sincerely for your vigilance in protecting users against intrusion as well as insecure code.  I'm impressed that you cross-posted to the geeknote forks as well as posting on this forum page.  It's clear that you were striving for transparency and support.

To the Community: While I'm not the original author of geeknote, I've been maintaining an active branch at https://github.com/jeffkowalski/geeknote.

In the original source from which I forked, the consumer key and secret were checked into github, and since that can't be erased from the master record, that's a persistent source of problem that can only be addressed by disabling those credentials.  I support Evernote's decision to disable access via those credentials.

As Rich points out, there is good news.  We can generate and successfully use personal developer tokens immediately to regain access individually. Furthermore, moving forward there's the opportunity for a proper OAuth implementation.  Please see https://github.com/jeffkowalski/geeknote/issues/89 for a bit more discussion.

In short, to get going again, it's sufficient to set the EVERNOTE_DEV_TOKEN environment variable to your own newly acquired developer token before invoking geeknote once again as usual.

For the longer-term solution, I solicit and welcome suggestions and coding help in implementing the proper OAuth solution that will make geeknote accessible again to users more broadly. 

Please take those suggestions and pull requests over to the github site.

Thank you, 

Jeff

[Pierre François 0]

3 hours ago, jeff.kowalski said:

In short, to get going again, it's sufficient to set the EVERNOTE_DEV_TOKEN environment variable to your own newly acquired developer token before invoking geeknote once again as usual.

I got a new developers token and tried to invoke geeknote as follows, but I get no output:

EVERNOTE_DEV_TOKEN='my-token-here'; geeknote notebook-list

but I get no output. Do I need to login again?

[jefito 5,589]

11 hours ago, ballard said:

This is true, however, Geeknote did not cause a security incident. Unless something non-public occurred, from what we have been told (above):

Um, not sure what this means You asked the following: "Is there an Evernote client option for Linux?" In my reply, I cited NixNote, which is an Evernote client (software that uses the Evernote service),  though not an Evernote-written client. Ambiguous question, possibly, but answered unambiguously, and nothing to do with Geeknote or any  security incident (or non-incident).

[compromised 0]

My access history has a lot of unathorized access from Geeknote and I have reset my password. Does this mean all my notes and data in Evernote has been compromised? I have some credentials and personal details in it. 

[Rich Tener 86]

@compromised if you discovered unauthorized access to your account, someone had access to everything in it. We don't know exactly what the malicious actors are looking for, but based on previous investigations, we believe they are searching for cryptocurrency wallet credentials. I suggest rotating any credentials you had stored in your notes and looking at a purpose-built password manager to store those moving forward.

[ballard 3]

@Rich Tener and @jeff.kowalski, thank you for your responses, those make perfect sense.

@jefito sorry for my less-than-straightforward answer.  My worries were that something like NixNote could be banned too, but the other responses have addressed that worry.

@compromised: beyond what the others have said, I might suggest turning on Multi-factor authentication.

 

[jeff.kowalski 14]

@Pierre François It's best to post support questions for geeknote over on github, as I see you have, and not cross-post here.  This forum isn't monitored for geeknote support.

You'll find suggestions to address your problem over on the github issue.  Hope it helps.

Cheers,

Jeff

[Pierre François 0]

11 hours ago, jeff.kowalski said:

@Pierre François It's best to post support questions for geeknote over on github, as I see you have, and not cross-post here.  This forum isn't monitored for geeknote support.

You'll find suggestions to address your problem over on the github issue.  Hope it helps.

Cheers,

Jeff

OK. Got it. Thank you.

[arguvant 28]

On 4/4/2018 at 9:41 PM, Pierre François said:

I got a new developers token and tried to invoke geeknote as follows, but I get no output:

EVERNOTE_DEV_TOKEN='my-token-here'; geeknote notebook-list

but I get no output. Do I need to login again?

Remove the semicolon in your command line if you want geeknote to be able to see that environment variable.

[Forceflow 0]

I'd like to generate a dev token, but the form won't let me  ("currently disabled")

[Trishuryu 0]

How can I create multiple notes in sequence at once ? 

Let me know  other tool to replace a useful geeknote ?

[Emptied 0]

Hi there. I'm a Linux System Architect, which means I work from the CLI a lot and have more than a passing knowledge of security. I frequently have a need to add notes out of a terminal, and copy/paste is not my favorite activity. I'm not pleased about the lack of CLI tools in Evernote. I run OSX and don't particularly feel like figuring out how to write Applescript to accomplish CLI note access.

After reading this thread, I fail to see how Geeknote is doing anything that any other client or integration could be doing or, for that matter, a sufficiently coded TamperMonkey script or something. It seems to me like there are far more effective methods that could be used to slow or block unauthorized access to accounts that would not punish legitimate customers that want to use geeknote. Perhaps you could just generate oAuth tokens like you do with developer API tokens, and include a security disclaimer about storing said tokens? Alternately, adding CLI tools to the Evernote for Mac client would scratch my particular itch, but clearly there are lots of linux users that want access to their notes from the CLI too.