We have disabled the Geeknote app for all Evernote accounts

[en-security]

Hello,

Evernote has disabled the integration between this app and our service due to security concerns. If you’d like to learn more, please review this post on our customer forums:

https://discussion.evernote.com/topic/112711-we-have-disabled-the-geeknote-app-for-all-evernote-accounts/

Regards,

The Evernote Security Team

[jeffkowalski]

@en-security, I've read the thread from Rich Tener and I don't understand the action. Geeknote simply uses the approved API to access the service via commandline. Is there a security problem with the program itself? Shutting it off now limits the functionality of legitimate users without recourse.

What's the next step?

[en-security]

@jeffkowalski
Hi Jeff,

Please contact us directly at [email protected] so that we can discuss next steps.

Thanks,

Jeff Lanza
Evernote Security

[jeffkowalski]

Geeknote users and developers,

I connected with the Evernote security team this evening, and I wanted to share their status update and recommendation with you:

Thanks for getting in contact with us. We detected that an attacker had weaponized the use of Geeknote to automate accessing Evernote accounts. The attacker learned the password to a small percentage of our users’ accounts and connected the Geeknote app to them. 

In situations like this, we reach out to the developer to work with them to stop the abuse on their end of the service. We were unable to reach the registered developer for Geeknote. When we looked at the Geeknote app, we found that the consumer secret was publicly available in the source code. This situation doesn’t comply with our API license (http://dev.evernote.com/doc/reference/api_license.php), so we revoked it.

Moving forward, you have a couple of different options.

1) Register for a new developer key at https://dev.evernote.com. We’ll issue you a consumer key and secret and with some app changes, you can support oauth as an authentication method. You’ll probably want to rename the app (Geeknote 2). You’ll also need to setup a web service to protect the consumer secret, store the oauth tokens, and broker the communications between Geeknote and our service. I realize this could take a non-trivial amount of time and expense, so I recommend looking at option 2.

2) Update the Geeknote code to support Personal Developer Tokens (http://dev.evernote.com/doc/articles/dev_tokens.php). This would let any Evernote user download a token that can be used with a stand-alone app like Geeknote. This is the easiest path forward to get users back online with Geeknote.

We currently whitelist which users can use personal developer tokens. We’ve already seeded that whitelist with every Geeknote user that was using the app before the credential stuffing attack happened.

I believe that setting the environment variable EVERNOTE_DEV_TOKEN to the token acquired via path 2 above should be sufficient. Please do NOT check that token into a repo.

I could use help in a more permanent solution via path 1 described above.

I'm grateful to the evernote team for their security vigilance and for their quick help today.

[pierrefrancois]

I don't understand fully what I have to do. I acquired a new developers token, which I stored inside the file $HOME/.evernote_dev_token. When I run EVERNOTE_DEV_TOKEN=$(cat $HOME/.evernote_dev_token) geeknote notebook-list, I don't get any output. I wonder if I need to login again.

[jeffkowalski]

I'm not sure what's going on, @pierrefrancois
You may want to examine the process in the debugger and see what's going on at https://github.com/jeffkowalski/geeknote/blob/master/geeknote/oauth.py#L175 where the environment variable is used. Hope this helps you get started.

[iafan]

When setting the EVERNOTE_DEV_TOKEN env variable, I'd recommend enclosing the token in double quotes. Also, you need to export this variable so that it will be visible in the child process. A simplest way to test if the environment variable works is to create a wrapper shell script, like that:

#!/bin/sh
export EVERNOTE_DEV_TOKEN="...your.dev.token.here..."
geeknote "$@"

Save it as e.g. gn, make it executable: chmod +x gn and then run: ./gn notebook-list

[pierrefrancois]

I saw in the .py sources of geeknote that my version is an old one, without reference to the environment variable EVERNOTE_DEV_TOKEN. I will upgrade to the new version and see if this hack does the trick.

[ghostwheel]

I don't understand why Evernote recommends that geeknote use developer tokens, but when I talked to a rep to get a developer token, the reply was "We have disabled developer tokens for Geeknote at this time"
It could be that that rep didn't have the right info. Who would you contact for a developer token?

UPDATE: I did get a token now.

[aiguofer]

@ghostwheel https://www.evernote.com/api/DeveloperToken.action

[ghostwheel]

@aiguofer What I see there is "Update: the creation of developer tokens is temporarily disabled."
If I understand correctly, this has been since October, though some users see a different response on that page. And the recommendation was to contact support:
https://discussion.evernote.com/topic/108911-developer-token-are-not-supported-anymore/
I did, and now I got that reply, but the ticket is still in process, so I might get a token eventually. I just wanted to see if there is a better way to contact Evernote for this...

[iafan]

@ghostwheel you did everything right, and it seems like a miscommunication on Evernote's side. I'll follow up with CS internally on that.

[jeffkowalski]

@pierrefrancois please ensure you're using version 2.0.13, the latest release of geeknote.
If you simply type geeknote with no arguments, you should see

Version: 2.0.13
Geeknote - a command line client for Evernote.
Use geeknote --help to read documentation.

[ghostwheel]

OK, I did get a token!

[iafan]

In the future, if anyone expects a significant delay with getting access to developer token functionality, feel free to post your Zendesk ticket number here so that we can connect dots and be able to escalate your ticket through our customer support pipeline.

[pierrefrancois]

@jeffkowalski I installed a new version of geeknote from the git repository issuing git clone git://github.com/VitaliyRodnenko/geeknote.git but after installation, I get version 0.1 running. What did I wrong? How do I best install geeknote on Ubuntu for being sure to get at least version 2.0.13?

[jeffkowalski]

@pierrefrancois you need to clone my repo (this one we're in right now), not vitaliy's

[pierrefrancois]

@jeffkowalski it works. Thanks.
The linuxbrew system didn't work right of the box on Ubuntu 17.10. So I compiled from the sources.
I had to enforce the use of python2 in a python3 environment.
The installation command needed to be prefixed by sudo: sudo pip2 install --upgrade . The documentation in the file README.md would gain to be more accurate on that point.

[Mladia]

Everything currently works, using developer tokes. Cloning this repository and installing with pip (following instructions from REAMDE).
I created a wrapper, which exports the EVERNOTE_DEV_TOKEN variable, exaclty like @iafan said and everything works so far.

[atwinkelman]

@Mladia How did you obtain a developer token? It seems that https://www.evernote.com/api/DeveloperToken.action is still "temporarily disabled". Did you obtain a developers token through the customer support ticket system?

[iafan]

@atwinkelman if you see the 'temporary disabled' message, you need to open a customer support ticket to have this functionality enabled for you. We tried to identify and whitelist previous Geeknote users so that they wouldn't have to go through customer support, but we may have missed some.

[atwinkelman]

@iafan Thanks! I've opened up a support ticket yesterday but haven't heard back yet.

I have not used geeknote yet so I wouldn't be on the list. I'm coming over from nixnote2 since I'm having problems getting nixnote2 to run now. I'd like to take a copy of my notes to the field with no internet access.

[Mladia]

@atwinkelman I used this link https://www.evernote.com/api/DeveloperToken.action .

Thanks to @aiguofer from a post here.

[iafan]

@atwinkelman if you can provide your support ticket number here, I can escalate it.

[atwinkelman]

@Mladia Thanks for the link.

@iafan I heard from the support team last night, so I should be set now. I set up a wrapper like you suggested and it works! Thanks for the help.

[Dieterbe]

I get the same "temporary disabled" message, however i'm not able to create a support ticket. Every time I go to support site it asks to login to create a ticket, so i hit login, which takes me to my notes, then if i go to the the support page again (whether via the help menu or in a new tab) it says i'm logged out again and must login again, and i get stuck in a cycle. Anyone else had this problem? how were you able to create a ticket?

UPDATE: somehow I got it working, zendesk #2492444
UPDATE2: got a token

[saamkhya]

Can I login to the same account from different machines with the same developer token?

[pierrefrancois]

Hello saamkhya, I could. Pierre

…

On 27-06-18 22:16, saamkhya wrote: Can I login to the same account from different machines with the same developer token? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#89 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AEborQ4tokL4S0z-9VS_x13DExUyrG2yks5uA-gZgaJpZM4TFulv>.

[dindom999]

does yinxiang.com work?

[iafan]

@dindom999 you should be able to do export GEEKNOTE_BASE=yinxiang before running Geeknote for it to talk to app.yinxiang.com (see this code). The developer token must also be activated on app.yinxiang.com (tokens are not shared between two service instances).

[dindom999]

Thinks @iafan ! I know export GEEKNOTE_BASE=yinxiang as I already did. What I mean is , I am not sure is there developer token for app.yinxiang.com , I found
temp disable when click in https://app.yinxiang.com/api/DeveloperToken.action .
I worry about yingxiang.com ignoring developer token.

[iafan]

@dindom999 Developer tokens are disabled by default (for security reasons), but you can go to Yinxiang support and ask to unlock this functionality for you.

[dindom999]

It works! thanks @iafan

[WhyNotHugo]

Do each of us need to manually open a ticket to request that tokens be enabled?
That's really poor UX; what's up with that?

None of the support categories seem to fit this request either, so I kinda just picked something vaguely related. Can you pick up #2684290?

[jeffkowalski]

@WhyNotHugo, I'm not sure what you mean by "pick up #2684290"
Can you elaborate?

[iafan]

@jeffkowalski that's likely the support ticket number at Evernote. @WhyNotHugo (and future visitors): if you opened the ticket to enable developer tokens, it will be processed; let's not hijack this issue as a support channel. You can also provide your feedback directly to Evernote Customer Support.

[iafan]

@jeffkowalski it probably makes sense to also lock the conversation on this ticket since it provides enough information on the subject.

[biluncloud]

@iafan I've requested a ticket #2716322, could you please help to proceed?

[XayOn]

To open a request ticket it's required to have a paid account.
Does that mean geeknote can only be used from evernote paid accounts?

[jeffkowalski]

I believe that would be the case

…

On Sun, May 19, 2019, 6:47 AM David Francos ***@***.***> wrote: To open a request ticket it's required to have a paid account. Does that mean geeknote can only be used from evernote paid accounts? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#89?email_source=notifications&email_token=AAAN4MGC6YIIAAMCOA6S2JTPWEV3DA5CNFSM4EYW5FX2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVW7RDI#issuecomment-493746317>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAN4MGLU3CNXOWGYRNDXL3PWEV3DANCNFSM4EYW5FXQ> .

[iafan]

@XayOn @jeffkowalski if one needs a token, create a new full-access API key from https://dev.evernote.com/ and then request its activation on production Evernote server. We will send you an instruction on how to exchange your personal API key for a personal auth token that you can use in Geeknote (just let us know in the activation request comment that you need this key for use in Geeknote).

[XayOn]

Thank you @iafan.
I'll give it a try.

[XayOn]

I just sent the forms. I'll give updates on this ticket as soon as I get a response. Maybe this could be added afterwards to the documentation @jeffkowalski ? I'm willing to add it on a PR if it works and you see it ok. Thanks. El lun., 20 may. 2019 a las 20:22, Igor Afanasyev (<[email protected]>) escribió:

…

@XayOn <https://github.com/XayOn> @jeffkowalski <https://github.com/jeffkowalski> if one needs a token, create a new full-access API key from https://dev.evernote.com/ and then request its activation on production Evernote server. We will send you an instruction on how to exchange your personal API key for a personal auth token that you can use in Geeknote (just let us know in the activation request comment that you need this key for use in Geeknote). — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#89?email_source=notifications&email_token=AAA2FLRLSFGV2URM6DQT7D3PWLT75A5CNFSM4EYW5FX2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODVZVLVI#issuecomment-494097877>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAA2FLRGZZNZPZHU65UKTDLPWLT75ANCNFSM4EYW5FXQ> .

-- Gracias, David Francos Cuartero (davidfrancos.net) -------------------------------------------------------------- Head of development - Sipay Plus (sipay.es) Founder - Dlabs Hackerspace (www.dlabs.co) Promoter - Zaragoza Python User Group ( https://plus.google.com/communities/103281359456269063508) , Betabeers Zaragoza (www.betabeers.com)

[jeffkowalski]

I'd welcome a doc PR, @XayOn

[XayOn]

Nice, @jeffkowalski @iafan Any estimation on how much does the token take to be promoted?

[iafan]

@XayOn if you're about your particular API key activation request, it was processed the same day (did you get an email?). API key requests are reviewed in batches, and usually it takes 1-2 days to process a request.

[XayOn]

@iafan ok, thanks.

I didn't receive any confirmation email nor instructions on how to get the personal auth token with it... 😕

[iafan]

@XayOn I just re-sent the email. Please check your spam/trash folder.

[XayOn]

Sorry for the noise, I changed my mind several times on formatting.

@iafan Thanks a lot for your support, it worked nicely.
@jeffkowalski I added instructions to readme on #116

[komodikkio]

Hi all.
I need some help to solve this, cause it's making me mad
I followed the token request path and i was able to generate it.
I'm trying now to login with the newly created access token but, when issuing "geeknote login" command i get this error:
EDAMSystemException(errorCode=8, rateLimitDuration=None, _message='authenticationToken')
I tryed both ways, manually exporting the EVERNOTE_DEV_TOKEN variable in the shell and also using the wrapper iafan suggested
I opened a support ticket (n° 2890110)
Could someone help me find my mistake?
Thanks in advance

EDIT:
Looks like my problem was caused by a previous failed login attempt wrote inside the db or in the geeknote app path
As adviced here I deleted the db file and doing so, i noticed there was a isyinxiang file inside the .geeknote folder
After deleting the db and the isyinxiang file, i was able to login successfully