Archive for the ‘Evernote vulnerability’ Category

Description: This is a URI redressing vulnerability found on evernote’s website. The vulnerability allowed victim’s account to get deleted by few clicks without his knowledge/consent. This vulnerability defeated the CSRFbuster token which was used on their site.

The vulnerability was reported first on 5/10/2013 but due to the issue of evernote’s ticketing system I had to resend the mail after a few days to obtain a ticket. After discussion with evernote’s sec-team, they told me that it had already been reported previously by some other researcher, hence my name wasn’t being listed on the site. Nevertheless, they fixed the vulnerability now.

Vulnerability: URI Redressing


Impact: Loss of files/account

Risk/Severity: High