Evernote Android Insecure Password Change (one-click setup) Product: Evernote (Android) Project Homepage: evernote.com Internal Advisory ID: c22-2013-05 Vulnerable Version(s): Android version 5.5.0 (and prior) Tested Version: Android 5.x (Android 4.2/4.3) Vendor Notification: Aug 13, 2013 Public Disclosure: December 07, 2013 Vulnerability Type: Authentication Bypass Issues [CWE-592] CVE Reference: CVE-2013-5116 Issue Severity: Important impact CVSSv2 Base Score: 6.6 (AV:L/AC:L/AU:N/C:C/I:C/A:N) Discovery: Chris John Riley ( http://blog.c22.cc ) Advisory Details: Effected versions of Evernote on the Android platform allow for users with limited access via the ADB (Android Debug Bridge) interface of an Android device (USB debugging enabled, no root access required) to perform backup and restore of applications and application data. The ADB backup functionality requires an Android device running the Ice-Cream Sandwich version of Android (4.x) or above. Evernote on Android allows for a "one-click setup" mode of installation where the user setting up Evernote on the Android device does not have a pre-existing Evernote account. The resulting setup on Android creates an Evernote account that the user does not know the password for. As a result, Evernote embedded the functionality to set the password manually after the "one-click setup" should the user wish to perform this action. Using a simple process, it is possible for an attacker with physical access to a device to backup the Evernote Android container and extract the created "one-click setup" password link (ONE_CLICK_SET_PASSWORD_URL) from the .pref.xml file (stored in clear-text within the backup). Using this link it is possible for an attacker to change the password of the users account without the user being aware (or loosing access to Evernote via the Android application). The password change box supplied via the "one-click setup" password url does not request any further authentication from the user, and as a result could be abused by determined attackers to gain backdoor access to users Evernote accounts without the user knowledge. Impact: Attackers can extract and possibly maintain access to a user's Evernote data from a lost or stolen device. Temporary access to a users device could expose the value of ONE_CLICK_SET_PASSWORD_URL. Evernote have released a new version to the Google Play store that corrects these issue by disabling the ability to perform an ADB backup of the Evernote container. It has been confirmed that the version 5.5.1 is no longer directly susceptible to this attack method (via ADB backup) References: At this time Evernote have not provided an advisory discussing the issue http://blog.c22.cc/2013/09/05/a-sneak-peak-into-android-secure-containers-2 http://blog.c22.cc/2013/08/01/bsideslv-android-backup-unpacker-release Vulnerability Timeline: May, 2013 - Initial discovery of vulnerability Aug 13, 2013 - Evernote contacted with request for secure communications Aug 13, 2013 - Response from Evernote setting up secure communications Aug 13, 2013 - Details reported to Evernote Aug 15, 2013 - Response from Evernote confirming issues being examined Aug 16, 2013 - CVE numbers sent to Evernote Aug 27, 2013 - Name added to Evernote acknowledgements page Nov 13, 2013 - Requested update from Evernote Nov 15, 2013 - Response from Evernote - issues still being tracked Nov 25, 2013 - Confirmation that other issues have been address in 5.5.1 Dec 05, 2013 - Asked for confirmation regarding "one-click setup" issue Dec 06, 2013 - Received response that Evernote consider this mitigated Dec 07, 2013 - Advisory released (delayed)