Jump to content

(Archived) shared notebook URLs & security, feature or bug?


Recommended Posts

Posted

We've noticed this odd behavior and hope someone can explain what is going on.

tl;dr: Notebooks shared with individuals are visible to anyone with the URL and an Evernote account, not just the individual(s) to whom an invitation was sent. The owner of the shared notebook cannot see that more people than intended are viewing/modifying the notebook.

Long version:

-All users in this example have evernote accounts.

-Evernote user User1 creates and shares a Notebook with User2. They do this using the "Share with individuals" settings, NOT with Share with the world.

-User2 receives the email from Evernote, clicks the link, and can now see/edit the shared notebook both online and in their Evernote client. User1, the owner of the shared notebook, can look at Shared Notebook Settings and see User2 listed as "currently shared with" and can remove their access. So far this is all working as expected, nothing out of the ordinary.

-This is where it gets weird.

-User2 sends the URL to User3. Either by forwarding the email, pasting it in IM, posts it on their website, whatever.

-User3, clicks the URL and can see/edit the Shared Notebook originally shared by User1.

-User1 is totally unaware that User3 now has access to the notebook and does not have the ability to remove their access.

What's up with that? Bug or 'feature'?

Posted

Doing more testing, but what I believe is happening is Evernote allows 1 person to use that link. Doesn't matter if it is the intended individual, just whoever gets there first.

Posted

Ok, seems to be that the link does work for exactly one person only. But it doesn't matter if that person is who you intended to share the notebook with.

Is this a bug or a feature?

Posted

Since you share this with another person by email address, we don't actually know which Evernote account that corresponds to until the recipient of the email clicks on it and logs in to their account. For example, the recipient of the email may not yet have an Evernote account when you send the invitation, or they may have registered their account under a different email address.

Since the URL itself contains secret information, and it's only sent to your friend's email address, they should be the only one who clicks on it. I.e. the URL is not "public" anywhere except that direct email. So as long as you typed the email address, only the recipient should be able to open the note, and if you shared the notebook with "require login" permissions, then it will be permanently bound to their account on first login.

So, yes, this is working as intended, but it may be a little confusing how it works, since we wanted to make sure you could share with a friend without having to coordinate with them to learn their Evernote username first.

  • 3 weeks later...
Posted

I want this same option added to individual note sharing. I want to share individual notes with certain people only (not requiring login, but limited to the recipient who clicks). I would likely use this as much as shared notebooks.

Posted

I Would like to add the individual note sharing with certain people only . It may be different for different people.So I like my best.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...