(Archived) Authorized services and security?

[evernote-fan 34]

Hello,

I've a question about security concerning authorized services:

Some third party websites are working together with Evernote and aks for access to Evernote. What about security? If the server of such a third party app is hacked does the hacker also have full access to all my notes?

evernote-fan

[BurgersNFries 2,407]

As I understand it, the third party apps I use (Fastever, Fasteversnap, Egretlist), store my EN credentials on the client side. And, those apps don't have any cloud data of their own. So there is no concern I have about hackers for those sites.

I don't know what apps you may be specifically concerned about, so it may be different, depending upon the app.

[GrumpyMonkey 4,319]

when it comes to hacking, i figure someone can figure out how to do just about anything. i am speaking from experience. several major websites that i use have been hacked this year (the most recent one being zappos), and one of my accounts was actually hijacked for a brief time to make unauthorized purchases. i resolved the issue, but i was surprised at their ingenuity. they are quite tricky, and the supposedly secure sites were shockingly ill-prepared. i have pretty much resigned myself to the fact that my credit card information and ssn are probably all over the web by now. i log in regularly to monitor all of my accounts now.

so, based on my paranoia, i imagine they would have access. the third party apps have your passwords (encrypted or not) and the hackers could presumably access your account via the third party servers. that's just my guess.

unfortunately, i think this is risk you take when you use other services. even with my experiences, i am not terribly concerned about it, because i consider this one of the prices you pay for living in the clouds, but you'll have to evaluate the risk for your circumstances.

[peterfmartin 221]

GrumpyMonkey, this is the first time I have noticed that your avatar appears to be scared or sad.

(As to OP's question, I also can't give any definitive answer. I have given ifttt the access it requested to my Evernote account, but my understanding is that that just allows it to create notes.)

[GrumpyMonkey 4,319]

hi. maybe i should be sadmonkey

as for ifttt, it seems like a cool service, but am i the only one that thinks its terms of service (tos) are incredibly vague about really important things like ownership and use of data? it is, however, very specific about things like using the service to "operate nuclear facilities, life support, or other mission critical application where human life or property may be at stake." hahaha. if the government outsources its control over nuclear missile silos and/or nuclear power plants, then i will be pretty amazed!

[jbenson2 2,147]

Steve Gibson on the podcast "Security Now" addressed this issue on a general basis a few months ago. The password is never sent on to the 3rd party. There is a simple swap of tokens to assure the correct person is requesting access.I'm not a computer expert, so I might be butchering his response.

Personally, I would like this sort of information to be spelled out by Evernote and by the 3rd party software with clear and easy to understand information for the average user. I'm not holding my breath however.

[jefito 5,589]

Steve Gibson, the guy who predicts the death of the Internet every so often?

[jbenson2 2,147]

Steve Gibson, the guy who predicts the death of the Internet every so often?

Yeah, he's the guy who is coming to the conclusion that it is impossible to fight the bad guys with good software. Everything ends up with band-aids on top of other band-aids needed to patch up the glitches. The software developer has to be 100% perfect on every line of code. He has examples on every podcast, That is why he prefers to shy away from new programs and browsers until other people are exposed to the initial major faults.

So my ears perked up when he gave the green light approval to the 3rd party token OAauth.