Jump to content
There is a known issue that is preventing users from logging into the discussion forums. We're in the process of fixing this issue as quickly as possible, and will notify you once the issue has been resolved. Thank you for your patience! Read more... ×
Rich Tener

We have disabled the Geeknote app for all Evernote accounts

Recommended Posts

Hi everyone, I lead Evernote's security team. We recently received reports from a small number of users that they had discovered unauthorized access on their account from a third-party app called "Geeknote". We believe that someone has learned these users’ passwords from a website or service not associated with Evernote.

Our security team investigated these reports and found that Geeknote was being used by malicious actors to automate access to our service. We care about the security of Evernote customers, so we’ve revoked the app from our service to disrupt the abuse and protect customers.

If you were previously a Geeknote user, we've emailed you directly to explain this change.

If we detected unauthorized access on your account, we've also emailed you and reset your password.  

If you have not received either email notification from us, then you are likely not impacted.

We recommend that you always use a unique password on your Evernote account and setup two-factor authentication to better protect it. See https://evernote.com/security/tips for more tips on how to secure your account.

To understand more about Evernote and third-party applications visit: https://evernote.com/privacy/third-party-apps
 

  • Like 1
  • Sad 1

Share this post


Link to post
14 minutes ago, zingbretsen said:

Just to clarify, the malicious actors were just using Geeknote? Or do you believe that Geeknote itself is somehow compromised?

@zingbretsen that's correct. The malicious actors were just using Geeknote.

  • Like 1
  • Confused 1

Share this post


Link to post

Thanks for notification! :( Do I understand correcty that now I'm unable to use evernote with vim? Looks like I have to try simplenote sooner than expected.

  • Like 1

Share this post


Link to post

I maintain a geeknote fork.

@Rich Tener, I don't understand the action.  Geeknote simply uses the approved API to access the service via commandline.  Is there a security problem with the program itself?  Shutting it off now limits the functionality of legitimate users without recourse. 

What's the next step?

  • Like 2

Share this post


Link to post

Also, to add to this: since the security concern is not related to Geeknote (or the forks), it seems to be an overreaction to ban the entire use of the tool just because it was used by bad actors.  It would be akin to saying you would ban the Windows client for everyone because a some sets of compromised credentials were used with it (which I'm sure compromised credentials have been used with the Windows client too)

I get that Geeknote and/or Linux isn't nearly as widely used as the other platforms.  Is there an Evernote client option for Linux?  ...that isn't the web client?

  • Like 1

Share this post


Link to post

Thanks for notification. but actually I could not use geeknote because some F2A problem. I wanted to fix that but failed... 

However I always want to use evernote using command line or vim or any other editor on Linux.

I know this page is not for requesting, could you consider release official linux client? 

Share this post


Link to post
20 minutes ago, skshim said:

I know this page is not for requesting, could you consider release official linux client? 

This is one of several: 

Add your vote...

Share this post


Link to post
39 minutes ago, jefito said:

This is true, however, Geeknote did not cause a security incident. Unless something non-public occurred, from what we have been told (above):

4 hours ago, Rich Tener said:

@zingbretsen that's correct. The malicious actors were just using Geeknote.

 ...What will stop the miscreants from using NixNote (or any other) client non-official client?  When a compromised account is found on another non-official client, my fear is that Evernote will ban those as well.  This is very ominous sign for non-official clients.

 

 

36 minutes ago, jefito said:

This is one of several: 

Add your vote...

Added, thanks. :)

Share this post


Link to post

@ballard there were a couple issues going on. The first is that Geeknote doesn't comply with our API license, which requires the developer to protect their consumer secrets. Geeknote is a standalone app, so the secret is in the source code (config.py). To properly protect it, the developer needs to remove it from the source code and set up a web service to authenticate users. In situations where someone is using an app to abuse our service, we work with the developer to stop new logins on their infrastructure. With Geeknote, we can't do that because there is no infrastructure. We also couldn't reach the original developer that registered the API key.

There is a path forward. For standalone apps like Geeknote, we support a downloadable personal authentication token called a developer token (http://dev.evernote.com/doc/articles/dev_tokens.php). With some app modifications, you can use this personal developer token to authenticate Geeknote to your account.

We've had abuse issues with dev tokens in the past, so we whitelist who can use them. Before we revoked Geeknote from our service, we enabled dev token downloads for everyone that had been using Geeknote. 

Jeff Kowalski, the maintainer of the forked version, has reached out to us and we are working with him on a path forward to get Geeknote working again.

  • Like 1

Share this post


Link to post

Thank you @Rich Tener and team for the swift help.  And thank you sincerely for your vigilance in protecting users against intrusion as well as insecure code.  I'm impressed that you cross-posted to the geeknote forks as well as posting on this forum page.  It's clear that you were striving for transparency and support.

To the Community: While I'm not the original author of geeknote, I've been maintaining an active branch at https://github.com/jeffkowalski/geeknote.

In the original source from which I forked, the consumer key and secret were checked into github, and since that can't be erased from the master record, that's a persistent source of problem that can only be addressed by disabling those credentials.  I support Evernote's decision to disable access via those credentials.

As Rich points out, there is good news.  We can generate and successfully use personal developer tokens immediately to regain access individually. Furthermore, moving forward there's the opportunity for a proper OAuth implementation.  Please see https://github.com/jeffkowalski/geeknote/issues/89 for a bit more discussion.

In short, to get going again, it's sufficient to set the EVERNOTE_DEV_TOKEN environment variable to your own newly acquired developer token before invoking geeknote once again as usual.

For the longer-term solution, I solicit and welcome suggestions and coding help in implementing the proper OAuth solution that will make geeknote accessible again to users more broadly. 

Please take those suggestions and pull requests over to the github site.

Thank you, 

Jeff

  • Like 2

Share this post


Link to post
3 hours ago, jeff.kowalski said:

In short, to get going again, it's sufficient to set the EVERNOTE_DEV_TOKEN environment variable to your own newly acquired developer token before invoking geeknote once again as usual.

I got a new developers token and tried to invoke geeknote as follows, but I get no output:

EVERNOTE_DEV_TOKEN='my-token-here'; geeknote notebook-list

but I get no output. Do I need to login again?

Share this post


Link to post
11 hours ago, ballard said:

This is true, however, Geeknote did not cause a security incident. Unless something non-public occurred, from what we have been told (above):

Um, not sure what this means You asked the following: "Is there an Evernote client option for Linux?" In my reply, I cited NixNote, which is an Evernote client (software that uses the Evernote service),  though not an Evernote-written client. Ambiguous question, possibly, but answered unambiguously, and nothing to do with Geeknote or any  security incident (or non-incident).

Share this post


Link to post

My access history has a lot of unathorized access from Geeknote and I have reset my password. Does this mean all my notes and data in Evernote has been compromised? I have some credentials and personal details in it. 

Share this post


Link to post

@compromised if you discovered unauthorized access to your account, someone had access to everything in it. We don't know exactly what the malicious actors are looking for, but based on previous investigations, we believe they are searching for cryptocurrency wallet credentials. I suggest rotating any credentials you had stored in your notes and looking at a purpose-built password manager to store those moving forward.

Share this post


Link to post

@Rich Tener and @jeff.kowalski, thank you for your responses, those make perfect sense.

@jefito sorry for my less-than-straightforward answer.  My worries were that something like NixNote could be banned too, but the other responses have addressed that worry.

@compromised: beyond what the others have said, I might suggest turning on Multi-factor authentication.

 

  • Like 1

Share this post


Link to post
On 4/4/2018 at 9:41 PM, Pierre François said:

I got a new developers token and tried to invoke geeknote as follows, but I get no output:


EVERNOTE_DEV_TOKEN='my-token-here'; geeknote notebook-list

but I get no output. Do I need to login again?

Remove the semicolon in your command line if you want geeknote to be able to see that environment variable.

Share this post


Link to post

How can I create multiple notes in sequence at once ? 

Let me know  other tool to replace a useful geeknote ?

Share this post


Link to post

Hi there. I'm a Linux System Architect, which means I work from the CLI a lot and have more than a passing knowledge of security. I frequently have a need to add notes out of a terminal, and copy/paste is not my favorite activity. I'm not pleased about the lack of CLI tools in Evernote. I run OSX and don't particularly feel like figuring out how to write Applescript to accomplish CLI note access.

After reading this thread, I fail to see how Geeknote is doing anything that any other client or integration could be doing or, for that matter, a sufficiently coded TamperMonkey script or something. It seems to me like there are far more effective methods that could be used to slow or block unauthorized access to accounts that would not punish legitimate customers that want to use geeknote. Perhaps you could just generate oAuth tokens like you do with developer API tokens, and include a security disclaimer about storing said tokens? Alternately, adding CLI tools to the Evernote for Mac client would scratch my particular itch, but clearly there are lots of linux users that want access to their notes from the CLI too.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×