exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Evernote Android Insecure Password Change

Evernote Android Insecure Password Change
Posted Dec 13, 2013
Authored by Chris John Riley

Evernote on Android can have its one-click setup functionality leveraged maliciously to change a user's password without their knowledge.

tags | advisory
advisories | CVE-2013-5116
SHA-256 | ba18b28f54ca2d88cea8523c0e775b385fed288a3a06b92f0fd87c5eef2e2283

Evernote Android Insecure Password Change

Change Mirror Download
Evernote Android Insecure Password Change (one-click setup)

Product: Evernote (Android)
Project Homepage: evernote.com
Internal Advisory ID: c22-2013-05
Vulnerable Version(s): Android version 5.5.0 (and prior)
Tested Version: Android 5.x (Android 4.2/4.3)
Vendor Notification: Aug 13, 2013
Public Disclosure: December 07, 2013
Vulnerability Type: Authentication Bypass Issues [CWE-592]
CVE Reference: CVE-2013-5116
Issue Severity: Important impact
CVSSv2 Base Score: 6.6 (AV:L/AC:L/AU:N/C:C/I:C/A:N)
Discovery: Chris John Riley ( http://blog.c22.cc )

Advisory Details:

Effected versions of Evernote on the Android platform allow
for users with limited access via the ADB (Android Debug Bridge)
interface of an Android device (USB debugging enabled, no root access
required) to perform backup and restore of applications and application
data. The ADB backup functionality requires an Android device running
the Ice-Cream Sandwich version of Android (4.x) or above.

Evernote on Android allows for a "one-click setup" mode of installation
where the user setting up Evernote on the Android device does not have
a pre-existing Evernote account. The resulting setup on Android creates
an Evernote account that the user does not know the password for. As a
result, Evernote embedded the functionality to set the password manually
after the "one-click setup" should the user wish to perform this action.

Using a simple process, it is possible for an attacker with physical
access to a device to backup the Evernote Android container and extract
the created "one-click setup" password link (ONE_CLICK_SET_PASSWORD_URL)
from the <userid>.pref.xml file (stored in clear-text within the backup).

Using this link it is possible for an attacker to change the password
of the users account without the user being aware (or loosing access to
Evernote via the Android application). The password change box supplied
via the "one-click setup" password url does not request any further
authentication from the user, and as a result could be abused by
determined attackers to gain backdoor access to users Evernote accounts
without the user knowledge.

Impact:
Attackers can extract and possibly maintain access to a user's Evernote
data from a lost or stolen device. Temporary access to a users device
could expose the value of ONE_CLICK_SET_PASSWORD_URL.

Evernote have released a new version to the Google Play store that
corrects these issue by disabling the ability to perform an ADB backup
of the Evernote container. It has been confirmed that the version 5.5.1
is no longer directly susceptible to this attack method (via ADB backup)

References:
At this time Evernote have not provided an advisory discussing the issue
http://blog.c22.cc/2013/09/05/a-sneak-peak-into-android-secure-containers-2
http://blog.c22.cc/2013/08/01/bsideslv-android-backup-unpacker-release

Vulnerability Timeline:

May, 2013 - Initial discovery of vulnerability
Aug 13, 2013 - Evernote contacted with request for secure communications
Aug 13, 2013 - Response from Evernote setting up secure communications
Aug 13, 2013 - Details reported to Evernote
Aug 15, 2013 - Response from Evernote confirming issues being examined
Aug 16, 2013 - CVE numbers sent to Evernote
Aug 27, 2013 - Name added to Evernote acknowledgements page
Nov 13, 2013 - Requested update from Evernote
Nov 15, 2013 - Response from Evernote - issues still being tracked
Nov 25, 2013 - Confirmation that other issues have been address in 5.5.1
Dec 05, 2013 - Asked for confirmation regarding "one-click setup" issue
Dec 06, 2013 - Received response that Evernote consider this mitigated
Dec 07, 2013 - Advisory released (delayed)
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close