Jump to content

(Archived) Evernote leaks authentication through http


Recommended Posts



In the official Evernote Agent, when you click Usage>Username: "username_link".


A browser will popup with you already fully authenticated to your account.

The problem is when you click that link it will create a plaintext HTTP GET


GET http://www.evernote.com/setAuthToken?auth=xxxxxxxxxxxxxxxxxx=/User.action


Everybody sniffing the network, or every mitm like a proxy can intercept this request, replay it and gain FULL access to ALL of your evernote notes...


Can this be looked into? Am I missing something?






Link to comment


This topic is now archived and is closed to further replies.

  • Create New...