In their Security Notice they write "Never click on 'reset password' requests in emails — instead go directly to the service".
And after I changed my password I received confirmation email saying
"This email confirms your recent Evernote password change.
If your Evernote password was changed without your knowledge, then please click the link below to change it again:"
And big "Reset Password" button.
A bit funny as they just told me to never click on something like that.
This is more generic: if you do link tracking in your email, do it through your own domain, it's really not that hard, and urls that go through some other business are a huge red flag.
Personally, I probably cut people a bit of slack by going through whois to check if the domain belongs to some well-recognized mass mailer, but I wouldn't blame the MUA for just spamming anything that mentions a "login" along with a domain that isn't a descendant of the sender's domain.
Trusting whois data isn't a good idea. With most registrars you can write into those fields whatever you want. Just because a domain tells you it belongs to someone, doesn't actually mean that it belongs to this person.
It's rarely up to a developer. For websites with large email campaigns there's usually a third party system, which has some link tracking feature. And guess what, your marketing department is using it, and they don't want to switch to your custom one (which will take a few months to code, debug, implement all kinds of reporting compatible with what they do now).
Three years ago, 37signals wrote an email saying all users would have to pick new user names and passwords (I guess changing to a single sign in across all apps).
Now looking back, it's clear they were simply using a redirect URL to track clicks, but I had no clue. You can't even go to cmail4.com without getting an error and no description about what the service is.
I didn't even get the email from evernote regarding the password reset.
Luckily, I had the evernote app sign me out and asking me to login again (which didn't work with my old password).
I had to login through the website and it prompted me to change my password (no link on why) and then it worked with the new password.
I searched through my email trying to see if any email got eaten by the spam folder, but none, "No emails".
Just an interesting tidbit I noticed: I received several of these mails from Evernote, as I have multiple accounts (including some I set up for others).
Up until about 28 hours ago (4AM March 3 in Japan), all the embedded links were the bogus, phishing-esque URLs that the OP complains about.
As of 22 hours ago (10AM March 3 in Japan), the emails look the same, but all the links point to http://evernote.com.
So at least somebody at Evernote did notice (or read this post or respond to similar complaints), and correct the situation in the middle of their 50,000,000-user email campaign.
Couldn't Evernote just use a CNAME record on a subdomain that pointed to mkt5371.com? I know that's how the SendGrid click tracking app keeps the links on your domain (http://sendgrid.com/docs/Apps/click_tracking.html)
Not if the domain is always different. I've seen transactional email providers who will give you a different domain or subdomain for each email and it's all real random. I'm currently using Mandrill and I haven't checked if its true for them but I know its true for others.
HTH is J. Random User supposed to figure out that mkt5371.com is a service hired by evernote.com? A minimally alert user would click the Report Phishing button upon mousing over.
By including a link that happens to do the right thing, Evernote is conditioning its users to succumb to phishing in the future.
I got a reset message from Evernote, and I didn't even remember that I had an account. I must have tried it for my typical 30 seconds to conclude "meh" and moved on, then forgot it. I'm still not 100% sure what they do beyond ... note taking?
But I initially assumed it to be ballsy phishing, a brazen attempt to capitalize on Evernote's current trouble. Why? BECAUSE IT HAS A FUCKING LINK TO THE SERVICE IN THE EMAIL! That's the very minimum definition of phishing. Sheesh!
I hovered over it, saw that it was to evernote, but hovers can be faked, and my intuition and experience told me that this smells like phishing no matter what. Sheesh.
Synchronized note taking. That part's nothing too special. The killer feature for me is they do OCR on your uploaded pictures, which makes saving whiteboard drawings and back-of-napkin diagrams a breeze, or for snapping pics of business cards and then having searchability over the contents.
Great points and something I've been studying and trying to perfect myself for my own service. So while I couldn't agree more with the author's position, I think the unfortunate reality is that there's only a very small minority of users who would know any better anyway. It's mostly just people like us would know better. Everyone else would just click because there are no spelling or grammar errors and the email is branded properly.
This raises the question of how to educate users. I think we may be confusing them. I don't know about everyone else, but I teach non-technical people not to trust emails that ask you to reset your password when you didn't initiate the action. I always teach, as many of us do I think "don't click links in emails unless you know the sender personally or have requested the link" but then in cases like this we have to go back on that statement and say "well this time it's okay" and while we have really good and logical reasons for why, I don't think we can expect non-techies to understand it. To them it sounds like a contradiction, like "don't click links in emails except when I say it's okay". Then even if you teach people to check where the links are going (good luck) you've got to also teach them about domains, subdomains, and maybe even query strings. It's just a huge mess and I'm at a loss for how to educate people when it comes to a situation like Evernote's regardless of having link tracking or not.
worst cases of emails I have gotten are from Sony. For example, Planetside 2 beta acceptance letter came from [email protected] and without ANY personal information. It was the most generic official letter I have received.
Link to download PS2 was also from link.e-sonyonline.com.
I disregarded it first, only after a while, discovering it was genuine.
And a lot of people are having doubts about this aadress, just google it.
Also, their password reset letter comes from something like
[email protected]. I usually disregard everything like this automatically. Luckily reset link is planetside2.eu.
Offical email should never include links (unless it's signed, but what is?), the potential for trouble is just too great. I had this exact same problem back in 2003 from a financial company. I wrote them a serious email telling them just how dangerous it is to teach your users that it's OK to click on links that don't even go to your domain in random emails. I even showed them how easily I could create a phishing site.
The person who organised the email drop clearly got some hassle over it and sent me a response personally, but clearly still did not understand the problem.
I guess here Evernote figured any instructions they sent would have resulted in a link being sent anyway, so why not just send the link and ensure a higher shot off compliance.
They seemed to have forgotten about phishing.
Some sites have taken to including in such emails account information that presumably only the company would know (such as part of the account number) along with the name. I know of at least one bank that does this. The idea, of course, is that the user can then verify that it must be coming from the company.
This can be reassuring when the email is legit, but the problem is that it requires the user to remember for subsequent emails that such information should be present. So, if a phishing attack comes, will the user stop and think, "hey, where is the personal account info?" Some will, but many won't. I mean, if a user can't be trusted to follow a simple set of instructions (thus needing links), then how can he be expected to remember the security policies of every company for which he is a customer?
I also hate when unsubscribe from spam is on a different domain than the business, using a 3rd party email/marketing company. And I hate how "enter your email to confirm unsubscribing" is pretty common.
I was disappointed by this headline. After resetting my Evernote password this morning, I was looking forward to reading about a new technique that would allow me to avoid password resets in the future. Oh, well.
Is anyone working on such a thing?
(While I'm thinking of it, wordpress.com's password reset should be shot. I get several emails a day because it allows resets by username instead of email or username+email. This whole password issue needs some better minds assigned to it.)
It's in an email message, which has probably already made several hops in the clear, so that's probably a lost cause if they're looking for actual security, but a nice idea, I guess.
[+] [-] Avestan|13 years ago|reply
"This email confirms your recent Evernote password change.
If your Evernote password was changed without your knowledge, then please click the link below to change it again:" And big "Reset Password" button.
A bit funny as they just told me to never click on something like that.
[+] [-] melvinmt|13 years ago|reply
[+] [-] LaGrange|13 years ago|reply
Personally, I probably cut people a bit of slack by going through whois to check if the domain belongs to some well-recognized mass mailer, but I wouldn't blame the MUA for just spamming anything that mentions a "login" along with a domain that isn't a descendant of the sender's domain.
[+] [-] gst|13 years ago|reply
[+] [-] rorrr|13 years ago|reply
[+] [-] jere|13 years ago|reply
It was fairly well written, but I swore it was an elaborate phishing scheme. Here is an example of one of the URLs they used: http://37signals.cmail4.com/t/y/l/uiulli/kkulljtjr/d
Now looking back, it's clear they were simply using a redirect URL to track clicks, but I had no clue. You can't even go to cmail4.com without getting an error and no description about what the service is.
[+] [-] cnu|13 years ago|reply
Luckily, I had the evernote app sign me out and asking me to login again (which didn't work with my old password). I had to login through the website and it prompted me to change my password (no link on why) and then it worked with the new password.
I searched through my email trying to see if any email got eaten by the spam folder, but none, "No emails".
[+] [-] jonathanjaeger|13 years ago|reply
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] veidr|13 years ago|reply
Up until about 28 hours ago (4AM March 3 in Japan), all the embedded links were the bogus, phishing-esque URLs that the OP complains about.
As of 22 hours ago (10AM March 3 in Japan), the emails look the same, but all the links point to http://evernote.com.
So at least somebody at Evernote did notice (or read this post or respond to similar complaints), and correct the situation in the middle of their 50,000,000-user email campaign.
[+] [-] slaven|13 years ago|reply
[+] [-] theyCallMeSwift|13 years ago|reply
[+] [-] bpatrianakos|13 years ago|reply
[+] [-] cynwoody|13 years ago|reply
HTH is J. Random User supposed to figure out that mkt5371.com is a service hired by evernote.com? A minimally alert user would click the Report Phishing button upon mousing over.
By including a link that happens to do the right thing, Evernote is conditioning its users to succumb to phishing in the future.
[+] [-] nonamegiven|13 years ago|reply
But I initially assumed it to be ballsy phishing, a brazen attempt to capitalize on Evernote's current trouble. Why? BECAUSE IT HAS A FUCKING LINK TO THE SERVICE IN THE EMAIL! That's the very minimum definition of phishing. Sheesh!
I hovered over it, saw that it was to evernote, but hovers can be faked, and my intuition and experience told me that this smells like phishing no matter what. Sheesh.
[+] [-] evilduck|13 years ago|reply
[+] [-] bpatrianakos|13 years ago|reply
This raises the question of how to educate users. I think we may be confusing them. I don't know about everyone else, but I teach non-technical people not to trust emails that ask you to reset your password when you didn't initiate the action. I always teach, as many of us do I think "don't click links in emails unless you know the sender personally or have requested the link" but then in cases like this we have to go back on that statement and say "well this time it's okay" and while we have really good and logical reasons for why, I don't think we can expect non-techies to understand it. To them it sounds like a contradiction, like "don't click links in emails except when I say it's okay". Then even if you teach people to check where the links are going (good luck) you've got to also teach them about domains, subdomains, and maybe even query strings. It's just a huge mess and I'm at a loss for how to educate people when it comes to a situation like Evernote's regardless of having link tracking or not.
[+] [-] DocG|13 years ago|reply
Also, their password reset letter comes from something like [email protected]. I usually disregard everything like this automatically. Luckily reset link is planetside2.eu.
[+] [-] kybernetikos|13 years ago|reply
The person who organised the email drop clearly got some hassle over it and sent me a response personally, but clearly still did not understand the problem.
[+] [-] unclebucknasty|13 years ago|reply
They seemed to have forgotten about phishing.
Some sites have taken to including in such emails account information that presumably only the company would know (such as part of the account number) along with the name. I know of at least one bank that does this. The idea, of course, is that the user can then verify that it must be coming from the company.
This can be reassuring when the email is legit, but the problem is that it requires the user to remember for subsequent emails that such information should be present. So, if a phishing attack comes, will the user stop and think, "hey, where is the personal account info?" Some will, but many won't. I mean, if a user can't be trusted to follow a simple set of instructions (thus needing links), then how can he be expected to remember the security policies of every company for which he is a customer?
[+] [-] logn|13 years ago|reply
[+] [-] pooriaazimi|13 years ago|reply
[+] [-] ringmaster|13 years ago|reply
Is anyone working on such a thing?
(While I'm thinking of it, wordpress.com's password reset should be shot. I get several emails a day because it allows resets by username instead of email or username+email. This whole password issue needs some better minds assigned to it.)
[+] [-] unknown|13 years ago|reply
[deleted]
[+] [-] unclebucknasty|13 years ago|reply
[+] [-] apendleton|13 years ago|reply
[+] [-] den1|13 years ago|reply
[deleted]