geeknote
geeknote copied to clipboard
jeffkowalski
We have disabled the Geeknote app for all Evernote accounts
Hello,
Evernote has disabled the integration between this app and our service due to security concerns. If you’d like to learn more, please review this post on our customer forums:
https://discussion.evernote.com/topic/112711-we-have-disabled-the-geeknote-app-for-all-evernote-accounts/
Regards,
The Evernote Security Team
@en-security, I've read the thread from Rich Tener and I don't understand the action. Geeknote simply uses the approved API to access the service via commandline. Is there a security problem with the program itself? Shutting it off now limits the functionality of legitimate users without recourse.
What's the next step?
@jeffkowalski Hi Jeff,
Please contact us directly at [email protected] so that we can discuss next steps.
Thanks,
Jeff Lanza Evernote Security
Geeknote users and developers,
I connected with the Evernote security team this evening, and I wanted to share their status update and recommendation with you:
Thanks for getting in contact with us. We detected that an attacker had weaponized the use of Geeknote to automate accessing Evernote accounts. The attacker learned the password to a small percentage of our users’ accounts and connected the Geeknote app to them.
In situations like this, we reach out to the developer to work with them to stop the abuse on their end of the service. We were unable to reach the registered developer for Geeknote. When we looked at the Geeknote app, we found that the consumer secret was publicly available in the source code. This situation doesn’t comply with our API license (http://dev.evernote.com/doc/reference/api_license.php), so we revoked it.
Moving forward, you have a couple of different options.
1) Register for a new developer key at https://dev.evernote.com. We’ll issue you a consumer key and secret and with some app changes, you can support oauth as an authentication method. You’ll probably want to rename the app (Geeknote 2). You’ll also need to setup a web service to protect the consumer secret, store the oauth tokens, and broker the communications between Geeknote and our service. I realize this could take a non-trivial amount of time and expense, so I recommend looking at option 2.
2) Update the Geeknote code to support Personal Developer Tokens (http://dev.evernote.com/doc/articles/dev_tokens.php). This would let any Evernote user download a token that can be used with a stand-alone app like Geeknote. This is the easiest path forward to get users back online with Geeknote.
We currently whitelist which users can use personal developer tokens. We’ve already seeded that whitelist with every Geeknote user that was using the app before the credential stuffing attack happened.
I believe that setting the environment variable EVERNOTE_DEV_TOKEN to the token acquired via path 2 above should be sufficient. Please do NOT check that token into a repo.
I could use help in a more permanent solution via path 1 described above.
I'm grateful to the evernote team for their security vigilance and for their quick help today.
I don't understand fully what I have to do. I acquired a new developers token, which I stored inside the file $HOME/.evernote_dev_token. When I run EVERNOTE_DEV_TOKEN=$(cat $HOME/.evernote_dev_token) geeknote notebook-list, I don't get any output. I wonder if I need to login again.
I'm not sure what's going on, @pierrefrancois You may want to examine the process in the debugger and see what's going on at https://github.com/jeffkowalski/geeknote/blob/master/geeknote/oauth.py#L175 where the environment variable is used. Hope this helps you get started.
When setting the EVERNOTE_DEV_TOKEN env variable, I'd recommend enclosing the token in double quotes. Also, you need to export this variable so that it will be visible in the child process. A simplest way to test if the environment variable works is to create a wrapper shell script, like that:
#!/bin/sh
export EVERNOTE_DEV_TOKEN="...your.dev.token.here..."
geeknote "$@"
Save it as e.g. gn, make it executable: chmod +x gn and then run: ./gn notebook-list
I saw in the .py sources of geeknote that my version is an old one, without reference to the environment variable EVERNOTE_DEV_TOKEN. I will upgrade to the new version and see if this hack does the trick.
I don't understand why Evernote recommends that geeknote use developer tokens, but when I talked to a rep to get a developer token, the reply was "We have disabled developer tokens for Geeknote at this time" It could be that that rep didn't have the right info. Who would you contact for a developer token?
UPDATE: I did get a token now.
@aiguofer What I see there is "Update: the creation of developer tokens is temporarily disabled." If I understand correctly, this has been since October, though some users see a different response on that page. And the recommendation was to contact support: https://discussion.evernote.com/topic/108911-developer-token-are-not-supported-anymore/ I did, and now I got that reply, but the ticket is still in process, so I might get a token eventually. I just wanted to see if there is a better way to contact Evernote for this...
@ghostwheel you did everything right, and it seems like a miscommunication on Evernote's side. I'll follow up with CS internally on that.
@pierrefrancois please ensure you're using version 2.0.13, the latest release of geeknote.
If you simply type geeknote with no arguments, you should see
Version: 2.0.13
Geeknote - a command line client for Evernote.
Use geeknote --help to read documentation.
In the future, if anyone expects a significant delay with getting access to developer token functionality, feel free to post your Zendesk ticket number here so that we can connect dots and be able to escalate your ticket through our customer support pipeline.
@jeffkowalski I installed a new version of geeknote from the git repository issuing git clone git://github.com/VitaliyRodnenko/geeknote.git but after installation, I get version 0.1 running. What did I wrong? How do I best install geeknote on Ubuntu for being sure to get at least version 2.0.13?
@pierrefrancois you need to clone my repo (this one we're in right now), not vitaliy's
@jeffkowalski it works. Thanks.
The linuxbrew system didn't work right of the box on Ubuntu 17.10. So I compiled from the sources.
I had to enforce the use of python2 in a python3 environment.
The installation command needed to be prefixed by sudo: sudo pip2 install --upgrade . The documentation in the file README.md would gain to be more accurate on that point.
Everything currently works, using developer tokes. Cloning this repository and installing with pip (following instructions from REAMDE). I created a wrapper, which exports the EVERNOTE_DEV_TOKEN variable, exaclty like @iafan said and everything works so far.
@Mladia How did you obtain a developer token? It seems that https://www.evernote.com/api/DeveloperToken.action is still "temporarily disabled". Did you obtain a developers token through the customer support ticket system?
@atwinkelman if you see the 'temporary disabled' message, you need to open a customer support ticket to have this functionality enabled for you. We tried to identify and whitelist previous Geeknote users so that they wouldn't have to go through customer support, but we may have missed some.
@iafan Thanks! I've opened up a support ticket yesterday but haven't heard back yet.
I have not used geeknote yet so I wouldn't be on the list. I'm coming over from nixnote2 since I'm having problems getting nixnote2 to run now. I'd like to take a copy of my notes to the field with no internet access.
@atwinkelman I used this link https://www.evernote.com/api/DeveloperToken.action .
Thanks to @aiguofer from a post here.
@atwinkelman if you can provide your support ticket number here, I can escalate it.
@Mladia Thanks for the link.
@iafan I heard from the support team last night, so I should be set now. I set up a wrapper like you suggested and it works! Thanks for the help.
I get the same "temporary disabled" message, however i'm not able to create a support ticket. Every time I go to support site it asks to login to create a ticket, so i hit login, which takes me to my notes, then if i go to the the support page again (whether via the help menu or in a new tab) it says i'm logged out again and must login again, and i get stuck in a cycle. Anyone else had this problem? how were you able to create a ticket?
UPDATE: somehow I got it working, zendesk #2492444 UPDATE2: got a token
Can I login to the same account from different machines with the same developer token?
Hello saamkhya,
I could.
Pierre
On 27-06-18 22:16, saamkhya wrote:
Can I login to the same account from different machines with the same developer token?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jeffkowalski/geeknote/issues/89#issuecomment-400814700, or mute the thread https://github.com/notifications/unsubscribe-auth/AEborQ4tokL4S0z-9VS_x13DExUyrG2yks5uA-gZgaJpZM4TFulv.
@dindom999 you should be able to do export GEEKNOTE_BASE=yinxiang before running Geeknote for it to talk to app.yinxiang.com (see this code). The developer token must also be activated on app.yinxiang.com (tokens are not shared between two service instances).
Thinks @iafan ! I know export GEEKNOTE_BASE=yinxiang as I already did. What I mean is , I am not sure is there developer token for app.yinxiang.com , I found
temp disable when click in https://app.yinxiang.com/api/DeveloperToken.action .
I worry about yingxiang.com ignoring developer token.