Possible Security Issue - Why is Evernote texting me my authentication code?

[EdH 1,670]

I use two factor authentication and use a Google Authenticator device. I just logged into the website on a new browser instance and when it asked me for my 2FA code, before I could get my app launched on my phone, Evernote texted me my code.

I just checked my account security and Text is not checked, but the app is.

Why would Evernote text me this? I had not failed to authenticate, nor had I asked it to use a backup method, which for me would be my backup codes I have saved, not text.

Seems to be a security issue with Evernote's servers.

@Rich Tener

[Jim Finn 4]

I've started seeing the same thing a day or so ago and when I also go to my settings only Google Authentication app is selected. Receiving by text is not active but I am getting codes by text anyway. This is something that needs to be looked at immediately but more importantly notice needs to issue if there is a problem and when it will be fixed.

[Kubaton 0]

This is also happening to me. I noticed it last week and then again today.

[John in Michigan USA 129]

To confirm: @EdH you are getting the exact same six digit code that the Google Authenticator app displays for about 30 seconds, via text? Or are you getting a text with a different six digit code that also works, but is different from the one displayed by the Google Authenticator app?

Have you tried waiting until after the currently displayed code on G Auth expires before trying the code from the text? Can you still authenticate?

IIRC, Evernote servers aren't supposed to be able to generate the 6 digit codes generated by the G Auth app running on the end-user's device. Those codes are generated in real time, based on a hash of the private key (that only the end-user has; not even Google's servers are supposed to keep this!) and date time stamp. Evernote servers shouldn't even be able to access that info, until the user enters the code, then the [edit: EN client or the EN server, not sure which, uses that code to query] the Google service and gets a token back saying if the code is valid at that moment in time.

Edited March 19, 2019 by John in Michigan USA
correct minor error re how code is validated

[Jim Finn 4]

I can confirm that it was a different code to the one displayed in my Authy app. The code from authy worked perfectly. Did not try the texted code. 

[pavelc 0]

Looks like I'm not the only one with this issue. Those seperate and valid authentication codes are making a little nervous.

[EdH 1,670]

@John in Michigan USA The exact same 6 digit code! Yes, there seems to be a problem. I use Authy, but same calculation as Google Authenticator. And same 6 digit code.

@Jim Finn I wonder if you got a different code because it was on the verge of changing so the text went out before it changed and Authy showed you a new one? (or vice versa)

[Jim Finn 4]

Not sure. The authy code was in the middle of the 30 second countdown or so. Not trusting the text message though. Waiting official word on the issue but not holding my breath. 

[John in Michigan USA 129]

@EdH Yikes! That's bad.

[macfixer 703]

I wonder if it's related to this banner in the Evernote Forums?

https://discussion.evernote.com/topic/119048-security-update-email-regarding-account-security/

[EdH 1,670]

8 hours ago, macfixer said:

I wonder if it's related to this banner in the Evernote Forums?

https://discussion.evernote.com/topic/119048-security-update-email-regarding-account-security/

No, because then I would be getting them randomly as people tried to break into my account. I only get the SMS when I am logging in and need a code.

[EdH 1,670]

Opened ticket #2801981. Let's see what they say, besides rebooting my PC and the usual.

[macfixer 703]

Good luck, let me know how it ends up for you.

[Scott T. 662]

@EdH (and others on the thread): I looked into this and it turns out to be a small error on our side for the 2FA logic that was introduced while fixing other issues. Simply, we were evaluating a statement incorrectly that determines whether we send the code to the phone if authenticator is enabled. The logic was flipped, so it would always send the code in the case where a user has an auth app setup.

We've got a fix already. It should hopefully go out in the next day or so, when we do our weekly scheduled maintenance.

[EdH 1,670]

Thanks @Scott T.

[Jim Finn 4]

@Scott T. Thanks for the update. Hopefully that will sort it.

[John in Michigan USA 129]

Not impressed with the logic section of that code. That code is supposed to be audited before going live. Auditing means testing *all* execution paths or branches of the code. If they couldn't find this logic error in the audit, it wasn't much of an audit.

Furthermore, sending out the G Auth code gives up one of the strongest features of Google Auth, a thing that separates it from simple, SMS-based 2FA: only the user can generate codes! Letting the server generate codes is the equivalent of storing the user's password in the clear in the user database...you should always store a salted hash of it, or otherwise prevent server admins from being able to easily discover user passwords for themselves.

I guess the lesson is, don't put important stuff like bank info into Evernote!

Edit: I should add that I just experienced this bug when logging into the Web interface from a friend's PC. Waterfox browser v. 56.2.8 (64-bit)

Edited March 21, 2019 by John in Michigan USA
able to reproduce bug

[Scott T. 662]

1 hour ago, John in Michigan USA said:

Furthermore, sending out the G Auth code gives up one of the strongest features of Google Auth, a thing that separates it from simple, SMS-based 2FA: only the user can generate codes! Letting the server generate codes is the equivalent of storing the user's password in the clear in the user database...you should always store a salted hash of it, or otherwise prevent server admins from being able to easily discover user passwords for themselves.

Hi @John in Michigan USA. Our 2FA uses TOTP, which is an algorithm based on HMAC, and does not use any asymmetric algorithm with public/private keys. When a user sets up TOTP 2FA, they scan a code into their google authenticator app. This code is a “shared secret” that both the Evernote Service and the user’s gauth app keep a copy of. This secret is used to generate codes that can be transmitted to authenticate one party  to the other. When you send a 2FA code to Evernote, the service uses its copy of the secret to generate a code, and compares your code to it to see if your code is valid. It’s very important that the secret stays safe, which is why it is never transmitted again after 2FA is set up.

You can read more about TOTP on Wikipedia.

[eric99 978]

23 minutes ago, Scott T. said:

Hi @John in Michigan USA. Our 2FA uses TOTP, which is an algorithm based on HMAC, and does not use any asymmetric algorithm with public/private keys. When a user sets up TOTP 2FA, they scan a code into their google authenticator app. This code is a “shared secret” that both the Evernote Service and the user’s gauth app keep a copy of. This secret is used to generate codes that can be transmitted to authenticate one party  to the other. When you send a 2FA code to Evernote, the service uses its copy of the secret to generate a code, and compares your code to it to see if your code is valid. It’s very important that the secret stays safe, which is why it is never transmitted again after 2FA is set up.

You can read more about TOTP on Wikipedia.

Thanks for the info. I hope the shared secret is  encrypted at rest in your databases ...

[John in Michigan USA 129]

@Scott T. Thanks. I'm a glutton for punishment, so I've been reading the TOTP and HOTP RFCs. I see that asymmetric keys are not really a part of the RFCs; they would probably fall under the category of allowed but not required. So I withdraw my statement "only the user can generate codes". I guess TOTP isn't as robust as I assumed it was. But it is certainly appropriate for this use case.

I am still concerned that audited code apparently made it into production with a logic error, even though that logic error itself presents only a minor security problem (codes leaking without user's knowledge).

[jefito 5,589]

39 minutes ago, John in Michigan USA said:

@Scott T.I am still concerned that audited code apparently made it into production with a logic error, even though that logic error itself presents only a minor security problem (codes leaking without user's knowledge).

Everyone in the software world is concerned with this, but the Halting Problem being what it is, it hasn't been solved yet, at least in the large scale. Humans in the loop mean bugs are always possible, this on a day when Facebook announced a minor mishap of their own: https://www.cnn.com/2019/03/21/tech/facebook-password-database/index.html

[eric99 978]

6 minutes ago, jefito said:

Everyone in the software world is concerned with this, but the Halting Problem being what it is, it hasn't been solved yet, at least in the large scale. Humans in the loop mean bugs are always possible, this on a day when Facebook announced a minor mishap of their own: https://www.cnn.com/2019/03/21/tech/facebook-password-database/index.html

I wouldn't call that a "minor" mishap. Like I said, I hope the shared secret and passwords are  encrypted at rest in evernotes databases ...

[jefito 5,589]

4 minutes ago, eric99 said:

I wouldn't call that a "minor" mishap. Like I said, I hope the shared secret and passwords are  encrypted at rest in evernotes databases ...

You do understand that "minor mishap" was meant ironically, right?

[EdH 1,670]

I wouldn't hold anyone/thing up to Facebook for comparisons of security. That is like your teenaged son after being in a fender bender telling you it is ok because the town drunk was in a much worse accident last weekend and killed a bus load of children.

[Scott T. 662]

3 hours ago, John in Michigan USA said:

I am still concerned that audited code apparently made it into production with a logic error, even though that logic error itself presents only a minor security problem (codes leaking without user's knowledge).

This is a fair concern. We have tests for 2FA, but they use a testing helper function for getting the code. Effectively, the helper acts like the authenticator, generating the code from the seed. We don't have tests for the actual SMS sending. I'll follow-up with the team to find out if we can use one of the many services out there that let you setup a virtual phone number for receiving SMS texts. 

[Scott T. 662]

4 hours ago, eric99 said:

Thanks for the info. I hope the shared secret is  encrypted at rest in your databases ...

I will follow-up with our Security team about this.

[Scott T. 662]

Spoke with the Security team. Since our whole technology stack is built on top of the Google Cloud Platform (and stored there), we automatically get encryption at rest by default. You can read more about it on the GCP site.

[dr.mcclimans 0]

Does this mean my evernote data is stored by google?

[CalS 5,280]

1 hour ago, inquisitor said:

Does this mean my evernote data is stored by google?

Nope.  Just means EN "leases" google servers to store all our data.  Here is some background.

[DTLow 5,736]

1 hour ago, inquisitor said:

Does this mean my evernote data is stored by google?

Don't over react to the answer on this.

At one time Evernote operated their own data centres.  At the start, there was no other options.

These days, it's more cost efficient to rent services  from other companies; Google, Amazon, ....

[PinkElephant 8,075]

Anybody should be happy to learn that EN has outsourced the data storage to Google (or Amazon, or Microsoft, or ... any other major cloud service). This is common practice today for a lot of companies. It does not mean that Google is handling the data, they just run the data center on which the EN data (which is my data, your data, our data !) is saved and processed.

This means the data is super-save, distributed over a number of data centers, backuped to an extend that a single company could most likely not guarantee. 

If you use the data stored in your EN account professionally, you should think about closing a data processing agreement with EN. For European users with professional data use, this is obligatory under European data protection laws. I did this, with a very professional reaction by EN and without additional cost. Just issue an support ticket, briefly explaining why you want to add this amendment to your account. EN confirms in there that the data will be handled and protected in compliance with the new European data protection laws (which is to my knowledge the strictest ruleset of all G20-countries).

[dr.mcclimans 0]

Yes. I use it professionally which is why I investigated this issue - very perceptive Pink Elephant. Thank you very much for sharing your experience. I will follow up with EN regarding an amendment. Best wishes.

[brando90 20]

Im not receiving texts in the first place...why?!

[Dave-in-Decatur 3,938]

3 hours ago, brando90 said:

Im not receiving texts in the first place...why?!

You're tacking this on to a thread that's a year old and on a different topic. Please start a separate thread for this problem in order to get more useful advice. Thanks!

[jefito 5,589]

1 hour ago, Dave-in-Decatur said:

You're tacking this on to a thread that's a year old and on a different topic. Please start a separate thread for this problem in order to get more useful advice. Thanks!

They also posted near-identical topics on the not receiving text messages, so no need for them to start any more new threads on the problem. Oh, and I merged them already .