BurgersNFries 2,407 Posted November 4, 2012 Share Posted November 4, 2012 (I realize it's Sunday & the EN staff is probably busy with doing anti-message-board-hacker stuff, but I'm going to go ahead & post this now, anyway...)I use several third party apps on my iPhone/iPad. When I realized the message board had been hacked this morning, I immediately went to the web client & changed my password. However, my third party apps are still (about six hours later) able to send new notes to my EN account. (FastEver & Clever on iPad). I was also able to actually *change* an existing note in Clever on iPad. (I tested these new notes/changes by sync'ing my 2nd PC & yes, the new notes & changes entered on my iPad (*after* I changed my password in the EN web client but hadn't entered the new password in either of these third party apps) showed up on the 2nd PC.)Since these are two apps from two different software developers, I'm wondering if both devs are lax in their password checking...but then it would seem like the login/password would be required each time one sync'd from an app...??? Maybe not... I dunno. I do have PINS on not only my iPhone, iPad & Kindle Fire, as well as utilize the EN PINS on aforementioned devices. However, I still have a concern (yah, I'm a bit anal/OC that way) that if someone has access to EN on one of my devices, changing my EN password does not seem to prevent them from adding/changing notes in my account...??? (I haven't tried deleting notes, but I'd guess that would be enabled, too.) Link to comment
Level 5* GrumpyMonkey 4,320 Posted November 4, 2012 Level 5* Share Posted November 4, 2012 (I realize it's Sunday & the EN staff is probably busy with doing anti-message-board-hacker stuff, but I'm going to go ahead & post this now, anyway...)I use several third party apps on my iPhone/iPad. When I realized the message board had been hacked this morning, I immediately went to the web client & changed my password. However, my third party apps are still (about six hours later) able to send new notes to my EN account. (FastEver & Clever on iPad). I was also able to actually *change* an existing note in Clever on iPad. (I tested these new notes/changes by sync'ing my 2nd PC & yes, the new notes & changes entered on my iPad (*after* I changed my password in the EN web client but hadn't entered the new password in either of these third party apps) showed up on the 2nd PC.)Since these are two apps from two different software developers, I'm wondering if both devs are lax in their password checking...but then it would seem like the login/password would be required each time one sync'd from an app...??? Maybe not... I dunno. I do have PINS on not only my iPhone, iPad & Kindle Fire, as well as utilize the EN PINS on aforementioned devices. However, I still have a concern (yah, I'm a bit anal/OC that way) that if someone has access to EN on one of my devices, changing my EN password does not seem to prevent them from adding/changing notes in my account...??? (I haven't tried deleting notes, but I'd guess that would be enabled, too.)I'm no expert on this, by my understanding is that everything has moved to oauth, so as long as developers use that system, they do not get your passwords. In other words, change your Evernote password all you want and it will not affect integrations. If they were to get hacked, it wouldn't affect your passwords in the least, because they don't know your information. No worries here (as far as I know). I'm sure Evernote staff will report later on the forums about the issue. I expect we'll hear:(1) It had nothing to do with Evernote, because this forum is run by a different company.(2) The forums don't have your passwords, because you log into it through Evernote.(3) There is nothing to worry about.But, of course, it never hurts to change your password! That's the first thing I did as well. Link to comment
BurgersNFries 2,407 Posted November 4, 2012 Author Share Posted November 4, 2012 I'm no expert on this, by my understanding is that everything has moved to oauth, so as long as developers use that system, they do not get your passwords. In other words, change your Evernote password all you want and it will not affect integrations.Yeah, but let's say someone had access to my iPad & could get into say, Clever or FastEver (b/c AFAIK, FastEver does not have a PIN.) That means if my iPad were stolen & someone had my iPad PIN (or for those poor souls who don't PIN their devices), the thief could infiltrate my EN account. So far, I'm not worried b/c:First, as you say, I don't think today's hacker's really got any passwords b/c it still appears to be the message board only & not restricted to EN. (You know you've made it when hackers target NBC AND you!)Second, I have a PIN on all my devices & pretty much ALWAYS lock them before putting them down or even in my pocket/tote/purse & I don't pass them around like toys. I'm just thinking *if* someone was tricky enough to steal my iPad & know my PIN's (I use one for the device & another for the apps), then changing my EN password doesn't seem to keep the thief out of my account b/c they can access via the third party apps I've installed.If nothing else, this is something people who use third party apps should be aware of. (At least from what I can see...) And if this is the case, I may well rethink my usage of third party apps... that would be very debilitating for me and with my PINs & such, I may be overly concernced...but definitely something I need to think about. Link to comment
Level 5* GrumpyMonkey 4,320 Posted November 4, 2012 Level 5* Share Posted November 4, 2012 I'm no expert on this, by my understanding is that everything has moved to oauth, so as long as developers use that system, they do not get your passwords. In other words, change your Evernote password all you want and it will not affect integrations.Yeah, but let's say someone had access to my iPad & could get into say, Clever or FastEver (b/c AFAIK, FastEver does not have a PIN.) That means if my iPad were stolen & someone had my iPad PIN (or for those poor souls who don't PIN their devices), the thief could infiltrate my EN account. So far, I'm not worried b/c:First, as you say, I don't think today's hacker's really got any passwords b/c it still appears to be the message board only & not restricted to EN. (You know you've made it when hackers target NBC AND you!)Second, I have a PIN on all my devices & pretty much ALWAYS lock them before putting them down or even in my pocket/tote/purse & I don't pass them around like toys. I'm just thinking *if* someone was tricky enough to steal my iPad & know my PIN's (I use one for the device & another for the apps), then changing my EN password doesn't seem to keep the thief out of my account b/c they can access via the third party apps I've installed.If nothing else, this is something people who use third party apps should be aware of. (At least from what I can see...) And if this is the case, I may well rethink my usage of third party apps... that would be very debilitating for me and with my PINs & such, I may be overly concernced...but definitely something I need to think about.Oh. I see what you are saying. The solution to that is quite simple. If you have your devices stolen or otherwise compromised, go to www.evernote.com and remove their permission to access your account. Link to comment
BurgersNFries 2,407 Posted November 4, 2012 Author Share Posted November 4, 2012 Oh. I see what you are saying. The solution to that is quite simple. If you have your devices stolen or otherwise compromised, to to www.evernote.com and remove their permission to access your account.Ok. (Sigh of relief!)Thank you! Link to comment
Level 5* GrumpyMonkey 4,320 Posted November 4, 2012 Level 5* Share Posted November 4, 2012 Oh. I see what you are saying. The solution to that is quite simple. If you have your devices stolen or otherwise compromised, to to www.evernote.com and remove their permission to access your account. Ok. (Sigh of relief!) Thank you! Sure I think I've got it right, but it would be a good idea (I think) for Evernote to have this stuff more prominently described on their site (maybe without the technical talk), and it would be an even better idea to have these settings more directly accessible from the app. It wouldn't be creating a new feature, but highlighting an existing one. Link to comment
BurgersNFries 2,407 Posted November 4, 2012 Author Share Posted November 4, 2012 I think I've got it right, but it would be a good idea (I think) for Evernote to have this stuff more prominently described on their site (maybe without the technical talk), and it would be an even better idea to have these settings more directly accessible from the app. It wouldn't be creating a new feature, but highlighting an existing one.Yeah. I'm in the middle of getting something ready for someone else. But afterwards, I want to make an Evernote about this...and...hope I remember to look at it again, should I ever need it! Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.