Jump to content

(Archived) Evernote leaks authentication through http


SvenVD

Recommended Posts

Dear,

 

In the official Evernote Agent, when you click Usage>Username: "username_link".

 

A browser will popup with you already fully authenticated to your account.


The problem is when you click that link it will create a plaintext HTTP GET

 

GET http://www.evernote.com/setAuthToken?auth=xxxxxxxxxxxxxxxxxx=/User.action

 

Everybody sniffing the network, or every mitm like a proxy can intercept this request, replay it and gain FULL access to ALL of your evernote notes...

 

Can this be looked into? Am I missing something?

 

Thanks

 

 

 

Link to post

Archived

This topic is now archived and is closed to further replies.

Guest
This topic is now closed to further replies.
×
×
  • Create New...