Blog Neolex

French Bug bounty hunter

< back

Critical SSRF on Evernote

Category : Web Hacking

Time to read: 2 min read

Posted on March 31, 2022, 8:14 a.m.

In this article I will talk about a critical vulnerability on Evernote : it was a SSRF that allowed me to access GCP credentials from fetch GCP metadata  webserver .

The first day hunting on evernote I didn't find anything juicy after 2 hours so I stopped.

The next day as soon as I open Evernote I saw a juicy request :

If you decode the base64 value in the url : 


you get :


and the content of f6cdd4bdfa4c1b86f441c7c29f072e511dd34501.css is shown inside the response, so I immediatly thought about SSRF !

I tried the value of in base64 but it wasn't working, after a little time of trial and errors I understood that there was a whitelist to url/filepath that ends with .css or .js, so I used to following payload url :

which is the base64 for :

the .js after the # will be send as hash so not interpreted by the server but the extensions is allowed since it ends with .js and I got the access token :



I found out then that it was also possible to access local files via the base64 encoded value of



I got a 5 000$ bounty from Evernote which his their critical bounty, here is the hackerone report

It was my first bug bounty write-up I hope it was interesting, I'll try to make more write-ups in the future !




Don't hesitate to reach me on Twitter !