Evernote Chrome extension vulnerability allowed attackers to steal 4.7M users' data

[Atul Mishra 14]

Evernote Chrome extension vulnerability allowed attackers to steal 4.7M users' data [Click Here]

This is of grave concern, EN.

 

 

 

[Jesse P Lesperance 7]

Hey Folks, I am Jesse Lesperance and am the Head of Security at Evernote.

Jumping in with a couple of observations:

• Here’s another piece of coverage [https://www.cyberscoop.com/evernote-patches-flaw-google-chrome-extension/] with more accurate and specific information.  The original Guardio press release is here:https://www.prnewswire.com/news-releases/guardio-discovers-major-vulnerability-in-evernotes-chrome- extension-300866322.html
• As mentioned in the CyberScoop coverage above, Guardio does not believe that anyone took advantage of the bug.  At Evernote, we have not found any evidence that the vulnerability reported by Guardio has been exploited..
• We have a robust security program which includes working with many external security researchers; when we or a third-party discover vulnerabilities, we have a formal triage process that ensures that we appropriately prioritize and resolve/mitigate the vulnerability.  In this case, due to the potential impact, we had patched the vulnerability and distributed a new release within 3 days of Guardio’s contacting us.
• Chrome Extensions are by default set to auto-upgrade precisely for these sorts of situations; consequently our patch was automatically applied to the vast majority of installed Chrome WebClippers.

If you are a user of the WebClipper Extension for Google Chrome, and you have changed the defaults on how your Chrome Extensions upgrade, you should ensure that you have v7.11.1 (or better) of the Chrome WebClipper Extension installed.

[jefito 5,589]

Well, scare headline notwithstanding (attackers almost certainly did not steal data from 4.7 million users), a forum announcement about the problem should probably have been published.

According to the article, the problem has been fixed: Money quote from the article:

Quote

The affected extension has over 4.7 million users, according to statistics on the Chrome Web Store, theoretically putting a large number of users at risk. Evernote's handling of the vulnerability is laudable, as the company issued an update (version 7.11.1) to address the vulnerability less than one week after being notified.

So check your web clipper version number, and update if it's not 7.11.1, then update. 

[DTLow 5,736]

1 hour ago, Atul Mishra said:

attackers to steal 4.7M users' data

Do you actually believe that # of users had data stolen?

[PinkElephant 8,066]

1st ***** happens, and who is on the net knows it will happen again (no excuse, just experience)

2nd obviously the reaction by EN was fast and professional

3rd who is using 2FA on his account is on the safe side, and will get notice if his credentials were stolen and used for a login attempt.

So far the facts.

Now I am diligently awaiting the ***** storm that will arise from those who a) use the same user & PW on several services b) do not know or care what 2FA means and c) think that a PW-Manager is only for the feeble-hearted users among us.

 

P.S. My explizit language got replaced on posting by the stars. Somebody is watching us to only do good ...

[Phil2656 17]

Do you recommend us to change our Evernote password after this security breach?

[DTLow 5,736]

53 minutes ago, Phil2656 said:

Do you recommend us to change our Evernote password after this security breach?

I merged your question with the main discussion on this incident

I recommend you read the post from Evernote's head of security.

I have no details on this, but afaik I'm not aware of any security breach that requires a password change

For those really concerned with security; you should change your password often, and implement other security measures like 2FA.  Your password should be a computer generated random string. The  password should only be used for Evernote access, not at other sites.

[PinkElephant 8,066]

Everybody who will feel better after should change his PW. Nor harm done by doing so ...

More important are 3 other things:

1. Activate 2FA, on EN and on any other account where it is possible. Most important are the E-Mail-Accounts because these are often used to reset other Passwords.
2. Get a PW manager that helps you to produce strong, individual PWs. Many (like 1Password) will even analyze your accounts for weaknesses, and will tell you where 2FA is available.
3. Check your accounts (mostly the E-Mail adress often used as account name) whether they appear in one of the many breaches that has happened over the years. These did not happen at EN - but if one reuses account name and PW from other services, the account is at risk. Checks can be done at https://haveibeenpwned.com/ for free. This does not tell that your PW has actually been misused, it just checks whether it is included in the stolen account files that circulate in the internet. Many are ...

[Atul Mishra 14]

I have never been to US, nor I use VPN service for my laptop. but my EN account seems to have been accessed from US. I have changed my password to a stronger level with the help of Password manager after noticing this. Please look at the attached image. Any body to clear this what has happened in this case. 

[PinkElephant 8,066]

Just to make it a little easier than the academic explanation, I tell it as a story:

I am sitting at my desk in Germany. Now I am going to attack your account (if I had your credentials, which I don't have, and if I had any intention to do so, which I don't have), but want to cloak my location. What would I do ?

Activate my VPN, switch the country to say Singapore, which builds a VPN tunnel from my PC to Singapore, and enter your account data. What would you see ? An access from Singapore.

Not good enough, because several data from my PC would be transmitted as well, that could be used for fingerprinting my device. OK, so I use some software that will virtually convert my PC into an Android, Samsung S5, together with all false device and SW fingerprints.

Now you have got what you would see later: An access from Singapore with an Android device to your account. In reality I am sitting on my desk in Germany, and use a PC to go and steal your data.

This is how it happens (or better: If Disaster Kid is doing it, Pros would rather use automated software to do this, and not use a VPN service but a network of "dark" proxy servers used for the same purpose, but harder to track).

Wellcome to the world behind the mirrors, where nothing is at it seems.

One last thing: Nothing has to do with EN not protecting your data, but with yourself logging in yesterday in the Internet cafe on an open WiFi / your maybe infected hardware / whatever weak PW you may use etc.

Just one example: If somebody infected your PC with some malware, even using a PW-Manager will not help, because for example they can log every key you press, including your user name and PW, make a screen copy every few seconds and send it to a remote server etc.

If I were to build my EN access into a fortress, I would use a device know for low risk of attack like any iOS device, enter my account, change the PW into a strong one created on my PW manager on this device, get 2FA up and running, and be done. Which is what I have done, someday in the past ...and what you can do as well (maybe minus the iOS device).

[DTLow 5,736]

7 hours ago, Atul Mishra said:

I have never been to US, nor I use VPN service for my laptop. but my EN account seems to have been accessed from US. I have changed my password to a stronger level with the help of Password manager after noticing this. Please look at the attached image. Any body to clear this what has happened in this case. 

Just guessing - someone learned your userid/password and tried it out  on the Evernote site

In addition to changing to a strong password, only use it on the Evernote site.  Don't use the same password on other sites.

[Atul Mishra 14]

8 hours ago, DTLow said:

In addition to changing to a strong password, only use it on the Evernote site.  Don't use the same password on other sites.

I have done the same thing, the new password is unique to the EN (the same p/w is not being used on any other site). I use my college's private network, which IMHO is fairly strong. However, the strange thing is the App/device shown, is mine (Desktop-IHFTEAJ). 

[DTLow 5,736]

1 hour ago, Atul Mishra said:

However, the strange thing is the App/device shown, is mine (Desktop-IHFTEAJ). 

I'm guessing it's possible to spoof your machine id

TheCallsAreComingFromInsideTheHouse  😦

[PinkElephant 8,066]

The easiest explanation is that you were on a VPN tunneling to California, or the network was going through a proxy server there.

A VPN must nit necessarily be build from the PC, there are complete networks (mostly company ones) that always use a VPN, often going into their headquarter. Thus all devices linked to that network can use the Intranet, servers and other resources of the company.

Home use can be to be able to watch the latest Netflix stuff not yet available from ones home country.

Check the date and time of the access, and if you may have linked up to such a network at that time.

[Jesse P Lesperance 7]

Just a little bit of clarity on the IP from the US:

The 35.199.x.x IP address is allocated to Google Cloud where Evernote hosts our infrastructure.  What you are seeing is a piece of normal communication with one of our systems which is currently being misreported as an account access.  We are aware of the issue and are working internally to resolve the bug.

[Atul Mishra 14]

Thank You for this clarification.

I appreciation EN team for reaching to their customers and ensuring their notes' security.

[JackRyan 0]

Great