Jump to content
  • 0
burabil

Security Issue: Already downloaded notes are still available after revoking access to account.

Idea

Following your advice on this post, I have changed my password. That wasn't enough, because I had to revoke access from my devices manually via your website. Maybe, you should mention that in that post.

Moreover, in the Windows version, I could still access the notes. The windows version (6.17.6.8292 (308292) Public (CE Build ce-62.1.7539)) asked me my password to sync my notes, but I could still access the existing ones, the ones that were downloaded before changing the password and revoking access. This seems to be a security issue in that version, because I have tried with iOS and Android and on both devices, I couldn't access my already downloaded notes, which seems to be the correct behavior to me.

I recommend that

1. You revoke all access from all devices as soon as someone changes their password.

2. You revoke access to the existing notes if someone cannot provide the new password.

Share this post


Link to post

11 replies to this idea

Recommended Posts

  • 0

It's a good point, we should revoke access to unknown devices in addition to changing our password.  I'm not usually concerned about my known devices.

My understanding is that revoking access will cause devices to log off when they go online.  The new password is required to log on.

 

Share this post


Link to post
  • 0

The problem is signing off of a Windows or Mac client does not revoke access to any notes stored locally. They are largely plain text on the hard drive in their respective databases. To really make Evernote secure, it would need to both log the user off and wipe local content, similar to the Wipe Device commands available in Office 365 for mobile devices.

Share this post


Link to post
  • 0
36 minutes ago, EdH said:

They are largely plain text on the hard drive in their respective databases.

Just wondered about Windows and the "in their respective databases"
Are the note contents really plain text?

I'm using a Mac and the note contents are plain text.  There's a content.enml text file for each note.

Share this post


Link to post
  • 0
2 minutes ago, DTLow said:

Are the note contents really plain text?

No. It's a sqlite database.

Share this post


Link to post
  • 0
1 hour ago, dconnet said:

No. It's a sqlite database.

Assuming we're using database software, what would we see for the note contents.
I'm guessing a BLOB object but I'm unable to verify.  I have no ideas on viewing that kind of object.

Share this post


Link to post
  • 0

It's hidden in there in some weird way, sorry, I don't remember how (the structure pre-dates me and my work has just been thru our access functions)

Share this post


Link to post
  • 0
3 hours ago, dconnet said:

No. It's a sqlite database.

but it isn't encrypted, right? It is just plain text in the database. So there is no inherent protection of the .exb file, or is that not correct?

And on the Mac, it is plain text in its format. I've seen the note files.

Share this post


Link to post
  • 0
On 3/14/2019 at 4:34 PM, EdH said:

but it isn't encrypted, right? It is just plain text in the database. So there is no inherent protection of the .exb file, or is that not correct?

That's correct.

Share this post


Link to post
  • 0
56 minutes ago, dconnet said:

That's correct.

That's correct that that is not correct?  :wacko:

Share this post


Link to post
  • 0
31 minutes ago, CalS said:

That's correct that that is not correct?  :wacko:

It's an unencrypted sqlite database.

  • Thanks 1

Share this post


Link to post
  • 0
2 hours ago, CalS said:

That's correct that that is not correct?  :wacko:

Yes.

  • Haha 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...