Jump to content

We have disabled the Geeknote app for all Evernote accounts

Rich Tener

Recommended Posts

Rich Tener

Rich Tener 86

Posted
Posted

Hi everyone, I lead Evernote's security team. We recently received reports from a small number of users that they had discovered unauthorized access on their account from a third-party app called "Geeknote". We believe that someone has learned these users’ passwords from a website or service not associated with Evernote.

Our security team investigated these reports and found that Geeknote was being used by malicious actors to automate access to our service. We care about the security of Evernote customers, so we’ve revoked the app from our service to disrupt the abuse and protect customers.

If you were previously a Geeknote user, we've emailed you directly to explain this change.

If we detected unauthorized access on your account, we've also emailed you and reset your password.  

If you have not received either email notification from us, then you are likely not impacted.

We recommend that you always use a unique password on your Evernote account and setup two-factor authentication to better protect it. See https://evernote.com/security/tips for more tips on how to secure your account.

To understand more about Evernote and third-party applications visit: https://evernote.com/privacy/third-party-apps
 

  • Like 2
  • Sad 1
Link to comment
jeff.kowalski

jeff.kowalski 13

Posted
Posted

I maintain a geeknote fork.

@Rich Tener, I don't understand the action.  Geeknote simply uses the approved API to access the service via commandline.  Is there a security problem with the program itself?  Shutting it off now limits the functionality of legitimate users without recourse. 

What's the next step?

  • Like 3
Link to comment
ballard

ballard 3

Posted
Posted

Also, to add to this: since the security concern is not related to Geeknote (or the forks), it seems to be an overreaction to ban the entire use of the tool just because it was used by bad actors.  It would be akin to saying you would ban the Windows client for everyone because a some sets of compromised credentials were used with it (which I'm sure compromised credentials have been used with the Windows client too)

I get that Geeknote and/or Linux isn't nearly as widely used as the other platforms.  Is there an Evernote client option for Linux?  ...that isn't the web client?

  • Like 2
Link to comment
skshim

skshim 0

Posted
Posted

Thanks for notification. but actually I could not use geeknote because some F2A problem. I wanted to fix that but failed... 

However I always want to use evernote using command line or vim or any other editor on Linux.

I know this page is not for requesting, could you consider release official linux client? 

Link to comment
ballard

ballard 3

Posted
Posted
39 minutes ago, jefito said:

Not from Evernote, but: https://sourceforge.net/projects/nevernote/.

This is true, however, Geeknote did not cause a security incident. Unless something non-public occurred, from what we have been told (above):

4 hours ago, Rich Tener said:

@zingbretsen that's correct. The malicious actors were just using Geeknote.

 ...What will stop the miscreants from using NixNote (or any other) client non-official client?  When a compromised account is found on another non-official client, my fear is that Evernote will ban those as well.  This is very ominous sign for non-official clients.

 

 

36 minutes ago, jefito said:

This is one of several: 

Add your vote...

Added, thanks. :)

Link to comment
Rich Tener

Rich Tener 86

Posted
  • Author
Posted

@ballard there were a couple issues going on. The first is that Geeknote doesn't comply with our API license, which requires the developer to protect their consumer secrets. Geeknote is a standalone app, so the secret is in the source code (config.py). To properly protect it, the developer needs to remove it from the source code and set up a web service to authenticate users. In situations where someone is using an app to abuse our service, we work with the developer to stop new logins on their infrastructure. With Geeknote, we can't do that because there is no infrastructure. We also couldn't reach the original developer that registered the API key.

There is a path forward. For standalone apps like Geeknote, we support a downloadable personal authentication token called a developer token (http://dev.evernote.com/doc/articles/dev_tokens.php). With some app modifications, you can use this personal developer token to authenticate Geeknote to your account.

We've had abuse issues with dev tokens in the past, so we whitelist who can use them. Before we revoked Geeknote from our service, we enabled dev token downloads for everyone that had been using Geeknote. 

Jeff Kowalski, the maintainer of the forked version, has reached out to us and we are working with him on a path forward to get Geeknote working again.

  • Like 3
Link to comment
jeff.kowalski

jeff.kowalski 13

Posted
Posted

Thank you @Rich Tener and team for the swift help.  And thank you sincerely for your vigilance in protecting users against intrusion as well as insecure code.  I'm impressed that you cross-posted to the geeknote forks as well as posting on this forum page.  It's clear that you were striving for transparency and support.

To the Community: While I'm not the original author of geeknote, I've been maintaining an active branch at https://github.com/jeffkowalski/geeknote.

In the original source from which I forked, the consumer key and secret were checked into github, and since that can't be erased from the master record, that's a persistent source of problem that can only be addressed by disabling those credentials.  I support Evernote's decision to disable access via those credentials.

As Rich points out, there is good news.  We can generate and successfully use personal developer tokens immediately to regain access individually. Furthermore, moving forward there's the opportunity for a proper OAuth implementation.  Please see https://github.com/jeffkowalski/geeknote/issues/89 for a bit more discussion.

In short, to get going again, it's sufficient to set the EVERNOTE_DEV_TOKEN environment variable to your own newly acquired developer token before invoking geeknote once again as usual.

For the longer-term solution, I solicit and welcome suggestions and coding help in implementing the proper OAuth solution that will make geeknote accessible again to users more broadly. 

Please take those suggestions and pull requests over to the github site.

Thank you, 

Jeff

  • Like 4
Link to comment
Pierre François

Pierre François 0

Posted
Posted
3 hours ago, jeff.kowalski said:

In short, to get going again, it's sufficient to set the EVERNOTE_DEV_TOKEN environment variable to your own newly acquired developer token before invoking geeknote once again as usual.

I got a new developers token and tried to invoke geeknote as follows, but I get no output: 

EVERNOTE_DEV_TOKEN='my-token-here'; geeknote notebook-list

but I get no output. Do I need to login again?

Link to comment
  • Level 5*
jefito

jefito 5,587

Posted
  • Level 5*
Posted
11 hours ago, ballard said:

This is true, however, Geeknote did not cause a security incident. Unless something non-public occurred, from what we have been told (above):

Um, not sure what this means You asked the following: "Is there an Evernote client option for Linux?" In my reply, I cited NixNote, which is an Evernote client (software that uses the Evernote service),  though not an Evernote-written client. Ambiguous question, possibly, but answered unambiguously, and nothing to do with Geeknote or any  security incident (or non-incident).

Link to comment
Rich Tener

Rich Tener 86

Posted
  • Author
Posted

@compromised if you discovered unauthorized access to your account, someone had access to everything in it. We don't know exactly what the malicious actors are looking for, but based on previous investigations, we believe they are searching for cryptocurrency wallet credentials. I suggest rotating any credentials you had stored in your notes and looking at a purpose-built password manager to store those moving forward.

  • Like 1
Link to comment
ferrouswheel

ferrouswheel 14

Posted
Posted
On 4/4/2018 at 9:41 PM, Pierre François said:

I got a new developers token and tried to invoke geeknote as follows, but I get no output: 


EVERNOTE_DEV_TOKEN='my-token-here'; geeknote notebook-list

but I get no output. Do I need to login again?

Remove the semicolon in your command line if you want geeknote to be able to see that environment variable.

Link to comment
  • 2 weeks later...
  • 2 weeks later...
Emptied

Emptied 0

Posted
Posted

Hi there. I'm a Linux System Architect, which means I work from the CLI a lot and have more than a passing knowledge of security. I frequently have a need to add notes out of a terminal, and copy/paste is not my favorite activity. I'm not pleased about the lack of CLI tools in Evernote. I run OSX and don't particularly feel like figuring out how to write Applescript to accomplish CLI note access.

After reading this thread, I fail to see how Geeknote is doing anything that any other client or integration could be doing or, for that matter, a sufficiently coded TamperMonkey script or something. It seems to me like there are far more effective methods that could be used to slow or block unauthorized access to accounts that would not punish legitimate customers that want to use geeknote. Perhaps you could just generate oAuth tokens like you do with developer API tokens, and include a security disclaimer about storing said tokens? Alternately, adding CLI tools to the Evernote for Mac client would scratch my particular itch, but clearly there are lots of linux users that want access to their notes from the CLI too.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...