Notesnook needs to fix this privacy and security issue ASAP

Notesnook has a serious privacy issue that no one seems to have noticed. And it’s that it always generates the same public link when you publish a note. If you unpublish a note, and then republish it, it won’t generate a new link but the identical one you had before.

I use Notesnook to send private notes to people via e-mail or via social media. I don’t just send private notes to people I know, but also complete strangers on the internet.

HOW IT WORKS

The way you send a private note in Notesnook is by writing whatever sensitive information you need to write in the note, publish the note, and share the URL with the recipient. You can set limits to the note, in that the recipient may only be able to see it once, or it may require a password.

THE PROBLEM

All that is well and good, but the problem is that once my note is unpublished, ie once it expires and the recipient no longer has access to it because the link won’t work, it will work again if I republish the note. That’s because the URLs are identical.

Every time you publish the same note on Notenook, the URL link for it remains identical. It never changes.

PROTON PASS & 1PASSWORD DON’T HAVE THIS PROBLEM

On 1Password and Proton Pass, you can create a public link to share your login credentials for a website with someone you trust. That public link will expire after a certain period of time or a certain number of views. However, if a week or months later, you decide to share the same login credentials with someone else, the public link that you generated will be completely different from the first one that expired.

NEITHER DOES FILEN

Filen has the same security measure. Every time you create a public link for the same file or folder, the links are different, so that anyone you had shared that file with in the past, will not be able to use the old expired link to access it. That is not the case with Notesnook.

THIS IS A SECURITY AND PRIVACY ISSUE

Notesnook always generates the exact same, identical link every time you unpublish and re-publish a note. So if I sent a private note to someone a year ago that expired, and sent the same private note to someone else today, the first person can still read that note if they click it in the same time window.

I don’t like that. A lot of times, the information that I have to send someone via a private note is the same. Hence, I’m not going to create a new note every time I need to send someone my phone number or my email via private note.

Notesnook needs to fix this.

Why not password-protect the note to mitigate that issue?

1 Like

I do password protect my notes, but that doesn’t change the fact that it’s still a problem. Also, when I only have one channel of communication to reach someone, I have to give them the password in that same channel where I share the link.

In that case, you should probably open an issue on their Github, since the developers aren’t very active here.

1 Like

Anonymity issue, not necessarily a privacy issue but I see the danger.

I wouldn’t say it’s just an anonymity issue. I think it’s a privacy and security issue too, because it potentially gives access to sensitive info that you did not consent to give.

Moreover, there is Notenoook anonymity issue that I have not talked about here, but that I raised to Notesnook years ago. And it’s that all your published notes can be traced back to your account. What this means is that if Notesnook that notes nook can tell from which account for a public notes is from, which can potentially identify you if court ordered.

This is one of the other reasons I’m reluctant to use public notes from Notesnook to share sensitive info with strangers. Even if they are password protected

This is on our radar. Monographs are pretty barebones right now (not an excuse) and we are planning a “v2” for Monographs that’ll fix this and many other issues like:

  1. Multiple share links
  2. Customizable self destruct
  3. Encrypted by default with a random password
9 Likes

Thank you so much for taking the time to comment and addressing this issue. We look forward to the fix. Keep up the good work! :saluting_face: