Jump to content
Sean Chapple

(Archived) Another Serious Security Failing

Recommended Posts

I have recently opted out of EB after a string of issues with EB that culminated today in a very a serious security flaw.

 

An unauthorised user was able to join my EB account - this was without an invite being sent. I am unsure how as this was possible as the EB account had no notebooks or notes in it, as I had stripped them out due to ongoing problems with EB.

 

The email from EN stated 'xxxxx has joined your Business Account. They were able to join because you've set up auto-approval for any users with email addesses that end in @hotmail.com.'

 

 

 

Share this post


Link to post

I have recently opted out of EB after a string of issues with EB that culminated today in a very a serious security flaw.

 

An unauthorised user was able to join my EB account - this was without an invite being sent. I am unsure how as this was possible as the EB account had no notebooks or notes in it, as I had stripped them out due to ongoing problems with EB.

 

The email from EN stated 'xxxxx has joined your Business Account. They were able to join because you've set up auto-approval for any users with email addesses that end in @hotmail.com.'

Sorry to hear about the problem. Unauthorized access is a serious issue, but in this case it sounds like it was authorized. If you change your business administration settings, shouldn't you be able to prevent this?

Share this post


Link to post

The concerns I have go beyond a settings menu.

My EB account had not been shared with anyone, it was not listed or featured on any www. It was only on my own PCs because I was building the EB Library. The 'user' is completely unknown me and has not responded to my email asking how they were able to access my EB account.

Furthermore, when this occurred (earlier today) my EB account was entirely empty of notebooks/notes. I had removed all these two weeks ago after syncing problems.

Also my understanding is that users are invited. I have not seen a setting where I can click that any email ending in '@hotmail.com' is automatically granted access. If it was there I certainly would not be clicking yes.

Share this post


Link to post

The concerns I have go beyond a settings menu.

My EB account had not been shared with anyone, it was not listed or featured on any www. It was only on my own PCs because I was building the EB Library. The 'user' is completely unknown me and has not responded to my email asking how they were able to access my EB account.

Furthermore, when this occurred (earlier today) my EB account was entirely empty of notebooks/notes. I had removed all these two weeks ago after syncing problems.

Also my understanding is that users are invited. I have not seen a setting where I can click that any email ending in '@hotmail.com' is automatically granted access. If it was there I certainly would not be clicking yes.

I'm afraid I am not a business administrator, so I can't offer much specific help beyond saying that I think there is a setting for this. According to the Evernote Business site, "Auto-approval by email domain: If your company has a dedicated email domain (e.g. @evernote.com), your company's Evernote Business Admin may allow anyone with an email address at that domain to join the company's Evernote Business account. To find out if your company has enabled this method of joining, please contact your Admin directly."

http://evernote.com/business/guide/#2

It does seem odd that they were able to get this far along in the process with your email address and so forth. I encourage you to contact Evernote support (see my signature). If it is the case that Business starts off with a setting that allows anyone with a hotmail account to access your notebooks, then that is a problem! My guess is that this setting just needs to be clarified / tweaked.

Share this post


Link to post

Thanks for the response. I am the administrator and no one else had access to the EB Library and I do not understand how they got onto the account.

I have been using EN for several years, but certainly do not have confidence in the integrity or safeguards in place with EB to continue using the platform in a business environment.

I will stick with EN for personnel use which is a fantastic protect, but look elsewhere for another business.

I have logged a ticket with EN support.

Share this post


Link to post

Thanks for sending it to CS. I thought we disallowed auto-approval for @hotmail.com When did this happen?

 

Auto-approval is on one of the setup screens. That screen also lists the URL to visit so users can be approved automatically and join your business. I'm assuming the person had to visit that URL.

Share this post


Link to post

Thus happened yesterday. More alarmingly below is the response that I just recieved from the user who I was billed for:

"Hi Sean

This is certainly not fraud. I set up a business account as a test for our company, using my personal email.I was asked to set a password and then it said 'you have joined Sean Chapple's Business Account'.

I did think it very strange but as it stated you as the business administrator I thought it may be an Evernote Business account manager as it is quite a new service and that would be the account contact.

I was not at any point asked for payment information and no costs were mentioned. I'm very sorry that you have been charged for this - have the company responded to the situation? Please keep me in the loop on their response.

I can only try to reassure you that I will not access this account until it is resolved and that I will not look at any of your content.What a mess!"

Share this post


Link to post

We're really sorry this happened, Sean. Thank you for reporting it to us through a support ticket so we can address quickly.

Business Success (support) team has ensured that the user no longer has access to your business and they turned off the "automatic approval" for the "hotmail.co.uk" email domain.

Auto-approval is intended to make it easier for a business administrator to roll out Evernote Business for a company when everyone has the same email address (john@evernote.com, suzy@evernote.com). To avoid an issue like yours in the future, we have done a few things:

1) We disabled auto-approval for the most common domains around the world. This had already been in place for most major domains.

2) We've made auto-approval unchecked by default

3) Auto-approval now requires an extra confirmation before being enabled.

We'll also look into other ways to make sure other companies are not affected.

Other users who want to check their Evernote Business's auto-approval settings can do so easily:

1) Log into the Admin Console https://www.evernote.com/business/AccountSettings.action

2) Select the "Add Users" tab

3) You'll see any email domains with ability to automatically join your business.

Your support tickets are in the Business Support team's queue and they should be following up directly.

  • Like 1

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...