Jump to content
EdH

Possible Security Issue - Why is Evernote texting me my authentication code?

Recommended Posts

I use two factor authentication and use a Google Authenticator device. I just logged into the website on a new browser instance and when it asked me for my 2FA code, before I could get my app launched on my phone, Evernote texted me my code.

I just checked my account security and Text is not checked, but the app is.

Why would Evernote text me this? I had not failed to authenticate, nor had I asked it to use a backup method, which for me would be my backup codes I have saved, not text.

Seems to be a security issue with Evernote's servers.

@Rich Tener

  • Thanks 1

Share this post


Link to post

I've started seeing the same thing a day or so ago and when I also go to my settings only Google Authentication app is selected. Receiving by text is not active but I am getting codes by text anyway. This is something that needs to be looked at immediately but more importantly notice needs to issue if there is a problem and when it will be fixed.

Share this post


Link to post

This is also happening to me. I noticed it last week and then again today.

Share this post


Link to post
Posted (edited)

To confirm: @EdH you are getting the exact same six digit code that the Google Authenticator app displays for about 30 seconds, via text? Or are you getting a text with a different six digit code that also works, but is different from the one displayed by the Google Authenticator app?

Have you tried waiting until after the currently displayed code on G Auth expires before trying the code from the text? Can you still authenticate?

IIRC, Evernote servers aren't supposed to be able to generate the 6 digit codes generated by the G Auth app running on the end-user's device. Those codes are generated in real time, based on a hash of the private key (that only the end-user has; not even Google's servers are supposed to keep this!) and date time stamp. Evernote servers shouldn't even be able to access that info, until the user enters the code, then the [edit: EN client or the EN server, not sure which, uses that code to query] the Google service and gets a token back saying if the code is valid at that moment in time.

Edited by John in Michigan USA
correct minor error re how code is validated

Share this post


Link to post

I can confirm that it was a different code to the one displayed in my Authy app. The code from authy worked perfectly. Did not try the texted code. 

Share this post


Link to post

Looks like I'm not the only one with this issue. Those seperate and valid authentication codes are making a little nervous.

Share this post


Link to post

@John in Michigan USA The exact same 6 digit code! Yes, there seems to be a problem. I use Authy, but same calculation as Google Authenticator. And same 6 digit code.

@Jim Finn I wonder if you got a different code because it was on the verge of changing so the text went out before it changed and Authy showed you a new one? (or vice versa)

  • Sad 1

Share this post


Link to post

Not sure. The authy code was in the middle of the 30 second countdown or so. Not trusting the text message though. Waiting official word on the issue but not holding my breath. 

Share this post


Link to post

I wonder if it's related to this banner in the Evernote Forums?

https://discussion.evernote.com/topic/119048-security-update-email-regarding-account-security/

Share this post


Link to post

Opened ticket #2801981. Let's see what they say, besides rebooting my PC and the usual.

Share this post


Link to post

Good luck, let me know how it ends up for you.

  • Haha 1

Share this post


Link to post

@EdH (and others on the thread): I looked into this and it turns out to be a small error on our side for the 2FA logic that was introduced while fixing other issues. Simply, we were evaluating a statement incorrectly that determines whether we send the code to the phone if authenticator is enabled. The logic was flipped, so it would always send the code in the case where a user has an auth app setup.

We've got a fix already. It should hopefully go out in the next day or so, when we do our weekly scheduled maintenance.

  • Like 2
  • Thanks 1
  • Sad 1

Share this post


Link to post
Posted (edited)

Not impressed with the logic section of that code. That code is supposed to be audited before going live. Auditing means testing *all* execution paths or branches of the code. If they couldn't find this logic error in the audit, it wasn't much of an audit.

Furthermore, sending out the G Auth code gives up one of the strongest features of Google Auth, a thing that separates it from simple, SMS-based 2FA: only the user can generate codes! Letting the server generate codes is the equivalent of storing the user's password in the clear in the user database...you should always store a salted hash of it, or otherwise prevent server admins from being able to easily discover user passwords for themselves.

I guess the lesson is, don't put important stuff like bank info into Evernote!

Edit: I should add that I just experienced this bug when logging into the Web interface from a friend's PC. Waterfox browser v. 56.2.8 (64-bit)

Edited by John in Michigan USA
able to reproduce bug
  • Like 2

Share this post


Link to post
1 hour ago, John in Michigan USA said:

Furthermore, sending out the G Auth code gives up one of the strongest features of Google Auth, a thing that separates it from simple, SMS-based 2FA: only the user can generate codes! Letting the server generate codes is the equivalent of storing the user's password in the clear in the user database...you should always store a salted hash of it, or otherwise prevent server admins from being able to easily discover user passwords for themselves.

Hi @John in Michigan USA. Our 2FA uses TOTP, which is an algorithm based on HMAC, and does not use any asymmetric algorithm with public/private keys. When a user sets up TOTP 2FA, they scan a code into their google authenticator app. This code is a “shared secret” that both the Evernote Service and the user’s gauth app keep a copy of. This secret is used to generate codes that can be transmitted to authenticate one party  to the other. When you send a 2FA code to Evernote, the service uses its copy of the secret to generate a code, and compares your code to it to see if your code is valid. It’s very important that the secret stays safe, which is why it is never transmitted again after 2FA is set up.

You can read more about TOTP on Wikipedia.

  • Like 2

Share this post


Link to post
23 minutes ago, Scott T. said:

Hi @John in Michigan USA. Our 2FA uses TOTP, which is an algorithm based on HMAC, and does not use any asymmetric algorithm with public/private keys. When a user sets up TOTP 2FA, they scan a code into their google authenticator app. This code is a “shared secret” that both the Evernote Service and the user’s gauth app keep a copy of. This secret is used to generate codes that can be transmitted to authenticate one party  to the other. When you send a 2FA code to Evernote, the service uses its copy of the secret to generate a code, and compares your code to it to see if your code is valid. It’s very important that the secret stays safe, which is why it is never transmitted again after 2FA is set up.

You can read more about TOTP on Wikipedia.

Thanks for the info. I hope the shared secret is  encrypted at rest in your databases ...

Share this post


Link to post

@Scott T. Thanks. I'm a glutton for punishment, so I've been reading the TOTP and HOTP RFCs. I see that asymmetric keys are not really a part of the RFCs; they would probably fall under the category of allowed but not required. So I withdraw my statement "only the user can generate codes". I guess TOTP isn't as robust as I assumed it was. But it is certainly appropriate for this use case.

I am still concerned that audited code apparently made it into production with a logic error, even though that logic error itself presents only a minor security problem (codes leaking without user's knowledge).

Share this post


Link to post
39 minutes ago, John in Michigan USA said:

@Scott T.I am still concerned that audited code apparently made it into production with a logic error, even though that logic error itself presents only a minor security problem (codes leaking without user's knowledge).

Everyone in the software world is concerned with this, but the Halting Problem being what it is, it hasn't been solved yet, at least in the large scale. Humans in the loop mean bugs are always possible, this on a day when Facebook announced a minor mishap of their own: https://www.cnn.com/2019/03/21/tech/facebook-password-database/index.html

Share this post


Link to post
6 minutes ago, jefito said:

Everyone in the software world is concerned with this, but the Halting Problem being what it is, it hasn't been solved yet, at least in the large scale. Humans in the loop mean bugs are always possible, this on a day when Facebook announced a minor mishap of their own: https://www.cnn.com/2019/03/21/tech/facebook-password-database/index.html

I wouldn't call that a "minor" mishap. Like I said, I hope the shared secret and passwords are  encrypted at rest in evernotes databases ...

Share this post


Link to post
4 minutes ago, eric99 said:

I wouldn't call that a "minor" mishap. Like I said, I hope the shared secret and passwords are  encrypted at rest in evernotes databases ...

You do understand that "minor mishap" was meant ironically, right?

  • Like 1

Share this post


Link to post

I wouldn't hold anyone/thing up to Facebook for comparisons of security. That is like your teenaged son after being in a fender bender telling you it is ok because the town drunk was in a much worse accident last weekend and killed a bus load of children.

  • Haha 1

Share this post


Link to post
3 hours ago, John in Michigan USA said:

I am still concerned that audited code apparently made it into production with a logic error, even though that logic error itself presents only a minor security problem (codes leaking without user's knowledge).

This is a fair concern. We have tests for 2FA, but they use a testing helper function for getting the code. Effectively, the helper acts like the authenticator, generating the code from the seed. We don't have tests for the actual SMS sending. I'll follow-up with the team to find out if we can use one of the many services out there that let you setup a virtual phone number for receiving SMS texts. 

  • Thanks 2

Share this post


Link to post
4 hours ago, eric99 said:

Thanks for the info. I hope the shared secret is  encrypted at rest in your databases ...

I will follow-up with our Security team about this.

Share this post


Link to post

Spoke with the Security team. Since our whole technology stack is built on top of the Google Cloud Platform (and stored there), we automatically get encryption at rest by default. You can read more about it on the GCP site.

  • Like 2

Share this post


Link to post
1 hour ago, inquisitor said:

Does this mean my evernote data is stored by google?

Nope.  Just means EN "leases" google servers to store all our data.  Here is some background.

Share this post


Link to post
1 hour ago, inquisitor said:

Does this mean my evernote data is stored by google?

Don't over react to the answer on this.

At one time Evernote operated their own data centres.  At the start, there was no other options.

These days, it's more cost efficient to rent services  from other companies; Google, Amazon, ....

Share this post


Link to post

Anybody should be happy to learn that EN has outsourced the data storage to Google (or Amazon, or Microsoft, or ... any other major cloud service). This is common practice today for a lot of companies. It does not mean that Google is handling the data, they just run the data center on which the EN data (which is my data, your data, our data !) is saved and processed.

This means the data is super-save, distributed over a number of data centers, backuped to an extend that a single company could most likely not guarantee. 

If you use the data stored in your EN account professionally, you should think about closing a data processing agreement with EN. For European users with professional data use, this is obligatory under European data protection laws. I did this, with a very professional reaction by EN and without additional cost. Just issue an support ticket, briefly explaining why you want to add this amendment to your account. EN confirms in there that the data will be handled and protected in compliance with the new European data protection laws (which is to my knowledge the strictest ruleset of all G20-countries).

Share this post


Link to post

Yes. I use it professionally which is why I investigated this issue - very perceptive Pink Elephant. Thank you very much for sharing your experience. I will follow up with EN regarding an amendment. Best wishes.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...