[CVE-2013-5116] Evernote Android Insecure Password Change (one-click setup)

Evernote Android Insecure Password Change (one-click setup)

Product: Evernote (Android)
Project Homepage: evernote.com
Internal Advisory ID: c22-2013-05
Vulnerable Version(s): Android version 5.5.0 (and prior)
Tested Version: Android 5.x (Android 4.2/4.3)
Vendor Notification: Aug 13, 2013
Public Disclosure: December 07, 2013
Vulnerability Type: Authentication Bypass Issues [CWE-592]
CVE Reference: CVE-2013-5116
Issue Severity: Important impact
CVSSv2 Base Score: 6.6 (AV:L/AC:L/AU:N/C:C/I:C/A:N)
Discovery: Chris John Riley ( http://blog.c22.cc )

Advisory Details:

Effected versions of Evernote on the Android platform allow
for users with limited access via the ADB (Android Debug Bridge)
interface of an Android device (USB debugging enabled, no root access
required) to perform backup and restore of applications and application
data. The ADB backup functionality requires an Android device running
the Ice-Cream Sandwich version of Android (4.x) or above.

Evernote on Android allows for a "one-click setup" mode of installation
where the user setting up Evernote on the Android device does not have
a pre-existing Evernote account. The resulting setup on Android creates
an Evernote account that the user does not know the password for. As a
result, Evernote embedded the functionality to set the password manually
after the "one-click setup" should the user wish to perform this action.

Using a simple process, it is possible for an attacker with physical
access to a device to backup the Evernote Android container and extract
the created "one-click setup" password link (ONE_CLICK_SET_PASSWORD_URL)
from the <userid>.pref.xml file (stored in clear-text within the backup).

Using this link it is possible for an attacker to change the password
of the users account without the user being aware (or loosing access to
Evernote via the Android application). The password change box supplied
via the "one-click setup" password url does not request any further
authentication from the user, and as a result could be abused by
determined attackers to gain backdoor access to users Evernote accounts
without the user knowledge.

Impact:
Attackers can extract and possibly maintain access to a user's Evernote
data from a lost or stolen device. Temporary access to a users device
could expose the value of ONE_CLICK_SET_PASSWORD_URL.

Evernote have released a new version to the Google Play store that
corrects these issue by disabling the ability to perform an ADB backup
of the Evernote container. It has been confirmed that the version 5.5.1
is no longer directly susceptible to this attack method (via ADB backup)

References:
At this time Evernote have not provided an advisory discussing the issue
http://blog.c22.cc/2013/09/05/a-sneak-peak-into-android-secure-containers-2
http://blog.c22.cc/2013/08/01/bsideslv-android-backup-unpacker-release

Vulnerability Timeline:

May, 2013 - Initial discovery of vulnerability
Aug 13, 2013 - Evernote contacted with request for secure communications
Aug 13, 2013 - Response from Evernote setting up secure communications
Aug 13, 2013 - Details reported to Evernote
Aug 15, 2013 - Response from Evernote confirming issues being examined
Aug 16, 2013 - CVE numbers sent to Evernote
Aug 27, 2013 - Name added to Evernote acknowledgements page
Nov 13, 2013 - Requested update from Evernote
Nov 15, 2013 - Response from Evernote - issues still being tracked
Nov 25, 2013 - Confirmation that other issues have been address in 5.5.1
Dec 05, 2013 - Asked for confirmation regarding "one-click setup" issue
Dec 06, 2013 - Received response that Evernote consider this mitigated
Dec 07, 2013 - Advisory released (delayed)