Security Issue: Already downloaded notes are still available after revoking access to account.

[burabil 16]

Following your advice on this post, I have changed my password. That wasn't enough, because I had to revoke access from my devices manually via your website. Maybe, you should mention that in that post.

Moreover, in the Windows version, I could still access the notes. The windows version (6.17.6.8292 (308292) Public (CE Build ce-62.1.7539)) asked me my password to sync my notes, but I could still access the existing ones, the ones that were downloaded before changing the password and revoking access. This seems to be a security issue in that version, because I have tried with iOS and Android and on both devices, I couldn't access my already downloaded notes, which seems to be the correct behavior to me.

I recommend that

1. You revoke all access from all devices as soon as someone changes their password.

2. You revoke access to the existing notes if someone cannot provide the new password.

[DTLow 5,736]

It's a good point, we should revoke access to unknown devices in addition to changing our password.  I'm not usually concerned about my known devices.

My understanding is that revoking access will cause devices to log off when they go online.  The new password is required to log on.

 

[EdH 1,670]

The problem is signing off of a Windows or Mac client does not revoke access to any notes stored locally. They are largely plain text on the hard drive in their respective databases. To really make Evernote secure, it would need to both log the user off and wipe local content, similar to the Wipe Device commands available in Office 365 for mobile devices.

[DTLow 5,736]

36 minutes ago, EdH said:

They are largely plain text on the hard drive in their respective databases.

Just wondered about Windows and the "in their respective databases"
Are the note contents really plain text?

I'm using a Mac and the note contents are plain text.  There's a content.enml text file for each note.

[dconnet 529]

2 minutes ago, DTLow said:

Are the note contents really plain text?

No. It's a sqlite database.

[DTLow 5,736]

1 hour ago, dconnet said:

No. It's a sqlite database.

Assuming we're using database software, what would we see for the note contents.
I'm guessing a BLOB object but I'm unable to verify.  I have no ideas on viewing that kind of object.

[dconnet 529]

It's hidden in there in some weird way, sorry, I don't remember how (the structure pre-dates me and my work has just been thru our access functions)

[EdH 1,670]

3 hours ago, dconnet said:

No. It's a sqlite database.

but it isn't encrypted, right? It is just plain text in the database. So there is no inherent protection of the .exb file, or is that not correct?

And on the Mac, it is plain text in its format. I've seen the note files.

[dconnet 529]

On 3/14/2019 at 4:34 PM, EdH said:

but it isn't encrypted, right? It is just plain text in the database. So there is no inherent protection of the .exb file, or is that not correct?

That's correct.

[CalS 5,280]

56 minutes ago, dconnet said:

That's correct.

That's correct that that is not correct?  

[dconnet 529]

31 minutes ago, CalS said:

That's correct that that is not correct?  

It's an unencrypted sqlite database.

[EdH 1,670]

2 hours ago, CalS said:

That's correct that that is not correct?  

Yes.