Popular Post Rich Tener 86 Posted August 7, 2018 Popular Post Share Posted August 7, 2018 Hi everyone, I lead Evernote's security team. I wanted to make you aware of a recent update to Evernote for Windows versions 6.4–6.7. All Evernote apps connect with our service over HTTPS, which ensures that the data you send between your devices and our service is encrypted. We recently discovered a security vulnerability in older versions of Evernote for Windows that caused affected clients to use HTTP when contacting certain portions of the Evernote Service. This means that if you used one of the vulnerable versions of our Windows client, our software was occasionally sending your authentication token across the Internet using HTTP without first encrypting it. To be clear, your note content, usernames, and passwords were, and continue to be, securely encrypted in transit. Your password is still safe, and you don’t need to change it. To protect customers, we have blocked access from older versions of Evernote for Windows and have done the same for a small number of third party applications. We have also revoked the authentication session tokens for anyone currently running a vulnerable version of our app. If you had previously blocked upgrades beyond version 6.7, we are providing a hotfix that you can download here: https://cdn1.evernote.com/win6/public/Evernote_6.7.6.7584.exe We strongly encourage all customers to update to the latest version of Evernote for Windows. As an additional precaution, you should log out and back in to refresh your authentication token. We have already notified customers that were affected by this directly via email. 6 8 7 Link to comment
Recommended Posts