Jump to content
  • 0

Possible Security Issue - Why is Evernote texting me my authentication code?


EdH

Idea

  • Level 5*

I use two factor authentication and use a Google Authenticator device. I just logged into the website on a new browser instance and when it asked me for my 2FA code, before I could get my app launched on my phone, Evernote texted me my code.

I just checked my account security and Text is not checked, but the app is.

Why would Evernote text me this? I had not failed to authenticate, nor had I asked it to use a backup method, which for me would be my backup codes I have saved, not text.

Seems to be a security issue with Evernote's servers.

@Rich Tener

  • Thanks 1
Link to comment

34 replies to this idea

Recommended Posts

  • 0

I've started seeing the same thing a day or so ago and when I also go to my settings only Google Authentication app is selected. Receiving by text is not active but I am getting codes by text anyway. This is something that needs to be looked at immediately but more importantly notice needs to issue if there is a problem and when it will be fixed.

Link to comment
  • 0

To confirm: @EdH you are getting the exact same six digit code that the Google Authenticator app displays for about 30 seconds, via text? Or are you getting a text with a different six digit code that also works, but is different from the one displayed by the Google Authenticator app?

Have you tried waiting until after the currently displayed code on G Auth expires before trying the code from the text? Can you still authenticate?

IIRC, Evernote servers aren't supposed to be able to generate the 6 digit codes generated by the G Auth app running on the end-user's device. Those codes are generated in real time, based on a hash of the private key (that only the end-user has; not even Google's servers are supposed to keep this!) and date time stamp. Evernote servers shouldn't even be able to access that info, until the user enters the code, then the [edit: EN client or the EN server, not sure which, uses that code to query] the Google service and gets a token back saying if the code is valid at that moment in time.

Edited by John in Michigan USA
correct minor error re how code is validated
Link to comment
  • 0
  • Level 5*

@John in Michigan USA The exact same 6 digit code! Yes, there seems to be a problem. I use Authy, but same calculation as Google Authenticator. And same 6 digit code.

@Jim Finn I wonder if you got a different code because it was on the verge of changing so the text went out before it changed and Authy showed you a new one? (or vice versa)

  • Sad 1
Link to comment
  • 0
  • Ex Employees

@EdH (and others on the thread): I looked into this and it turns out to be a small error on our side for the 2FA logic that was introduced while fixing other issues. Simply, we were evaluating a statement incorrectly that determines whether we send the code to the phone if authenticator is enabled. The logic was flipped, so it would always send the code in the case where a user has an auth app setup.

We've got a fix already. It should hopefully go out in the next day or so, when we do our weekly scheduled maintenance.

  • Like 2
  • Thanks 1
  • Sad 1
Link to comment
  • 0

Not impressed with the logic section of that code. That code is supposed to be audited before going live. Auditing means testing *all* execution paths or branches of the code. If they couldn't find this logic error in the audit, it wasn't much of an audit.

Furthermore, sending out the G Auth code gives up one of the strongest features of Google Auth, a thing that separates it from simple, SMS-based 2FA: only the user can generate codes! Letting the server generate codes is the equivalent of storing the user's password in the clear in the user database...you should always store a salted hash of it, or otherwise prevent server admins from being able to easily discover user passwords for themselves.

I guess the lesson is, don't put important stuff like bank info into Evernote!

Edit: I should add that I just experienced this bug when logging into the Web interface from a friend's PC. Waterfox browser v. 56.2.8 (64-bit)

Edited by John in Michigan USA
able to reproduce bug
  • Like 2
Link to comment
  • 0
  • Ex Employees
1 hour ago, John in Michigan USA said:

Furthermore, sending out the G Auth code gives up one of the strongest features of Google Auth, a thing that separates it from simple, SMS-based 2FA: only the user can generate codes! Letting the server generate codes is the equivalent of storing the user's password in the clear in the user database...you should always store a salted hash of it, or otherwise prevent server admins from being able to easily discover user passwords for themselves.

Hi @John in Michigan USA. Our 2FA uses TOTP, which is an algorithm based on HMAC, and does not use any asymmetric algorithm with public/private keys. When a user sets up TOTP 2FA, they scan a code into their google authenticator app. This code is a “shared secret” that both the Evernote Service and the user’s gauth app keep a copy of. This secret is used to generate codes that can be transmitted to authenticate one party  to the other. When you send a 2FA code to Evernote, the service uses its copy of the secret to generate a code, and compares your code to it to see if your code is valid. It’s very important that the secret stays safe, which is why it is never transmitted again after 2FA is set up.

You can read more about TOTP on Wikipedia.

  • Like 2
Link to comment
  • 0
23 minutes ago, Scott T. said:

Hi @John in Michigan USA. Our 2FA uses TOTP, which is an algorithm based on HMAC, and does not use any asymmetric algorithm with public/private keys. When a user sets up TOTP 2FA, they scan a code into their google authenticator app. This code is a “shared secret” that both the Evernote Service and the user’s gauth app keep a copy of. This secret is used to generate codes that can be transmitted to authenticate one party  to the other. When you send a 2FA code to Evernote, the service uses its copy of the secret to generate a code, and compares your code to it to see if your code is valid. It’s very important that the secret stays safe, which is why it is never transmitted again after 2FA is set up.

You can read more about TOTP on Wikipedia.

Thanks for the info. I hope the shared secret is  encrypted at rest in your databases ...

Link to comment
  • 0

@Scott T. Thanks. I'm a glutton for punishment, so I've been reading the TOTP and HOTP RFCs. I see that asymmetric keys are not really a part of the RFCs; they would probably fall under the category of allowed but not required. So I withdraw my statement "only the user can generate codes". I guess TOTP isn't as robust as I assumed it was. But it is certainly appropriate for this use case.

I am still concerned that audited code apparently made it into production with a logic error, even though that logic error itself presents only a minor security problem (codes leaking without user's knowledge).

Link to comment
  • 0
  • Level 5*
39 minutes ago, John in Michigan USA said:

@Scott T.I am still concerned that audited code apparently made it into production with a logic error, even though that logic error itself presents only a minor security problem (codes leaking without user's knowledge).

Everyone in the software world is concerned with this, but the Halting Problem being what it is, it hasn't been solved yet, at least in the large scale. Humans in the loop mean bugs are always possible, this on a day when Facebook announced a minor mishap of their own: https://www.cnn.com/2019/03/21/tech/facebook-password-database/index.html

Link to comment
  • 0
6 minutes ago, jefito said:

Everyone in the software world is concerned with this, but the Halting Problem being what it is, it hasn't been solved yet, at least in the large scale. Humans in the loop mean bugs are always possible, this on a day when Facebook announced a minor mishap of their own: https://www.cnn.com/2019/03/21/tech/facebook-password-database/index.html

I wouldn't call that a "minor" mishap. Like I said, I hope the shared secret and passwords are  encrypted at rest in evernotes databases ...

Link to comment
  • 0
  • Level 5*
4 minutes ago, eric99 said:

I wouldn't call that a "minor" mishap. Like I said, I hope the shared secret and passwords are  encrypted at rest in evernotes databases ...

You do understand that "minor mishap" was meant ironically, right?

  • Like 2
Link to comment
  • 0
  • Level 5*

I wouldn't hold anyone/thing up to Facebook for comparisons of security. That is like your teenaged son after being in a fender bender telling you it is ok because the town drunk was in a much worse accident last weekend and killed a bus load of children.

  • Like 1
  • Haha 1
Link to comment
  • 0
  • Ex Employees
3 hours ago, John in Michigan USA said:

I am still concerned that audited code apparently made it into production with a logic error, even though that logic error itself presents only a minor security problem (codes leaking without user's knowledge).

This is a fair concern. We have tests for 2FA, but they use a testing helper function for getting the code. Effectively, the helper acts like the authenticator, generating the code from the seed. We don't have tests for the actual SMS sending. I'll follow-up with the team to find out if we can use one of the many services out there that let you setup a virtual phone number for receiving SMS texts. 

  • Thanks 2
Link to comment
  • 0
  • Ex Employees

Spoke with the Security team. Since our whole technology stack is built on top of the Google Cloud Platform (and stored there), we automatically get encryption at rest by default. You can read more about it on the GCP site.

  • Like 2
Link to comment
  • 0
  • Level 5*
1 hour ago, inquisitor said:

Does this mean my evernote data is stored by google?

Don't over react to the answer on this.

At one time Evernote operated their own data centres.  At the start, there was no other options.

These days, it's more cost efficient to rent services  from other companies; Google, Amazon, ....

Link to comment
  • 0
  • Level 5

Anybody should be happy to learn that EN has outsourced the data storage to Google (or Amazon, or Microsoft, or ... any other major cloud service). This is common practice today for a lot of companies. It does not mean that Google is handling the data, they just run the data center on which the EN data (which is my data, your data, our data !) is saved and processed.

This means the data is super-save, distributed over a number of data centers, backuped to an extend that a single company could most likely not guarantee. 

If you use the data stored in your EN account professionally, you should think about closing a data processing agreement with EN. For European users with professional data use, this is obligatory under European data protection laws. I did this, with a very professional reaction by EN and without additional cost. Just issue an support ticket, briefly explaining why you want to add this amendment to your account. EN confirms in there that the data will be handled and protected in compliance with the new European data protection laws (which is to my knowledge the strictest ruleset of all G20-countries).

Link to comment
  • 0
  • Level 5
3 hours ago, brando90 said:

Im not receiving texts in the first place...why?!

You're tacking this on to a thread that's a year old and on a different topic. Please start a separate thread for this problem in order to get more useful advice. Thanks!

Link to comment
  • 0
  • Level 5*
1 hour ago, Dave-in-Decatur said:

You're tacking this on to a thread that's a year old and on a different topic. Please start a separate thread for this problem in order to get more useful advice. Thanks!

They also posted near-identical topics on the not receiving text messages, so no need for them to start any more new threads on the problem. Oh, and I merged them already .

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...