Trello, when an error in the publishing strategy is able to put at risk the private data of a huge community of unaware users.
A “Security enthusiastic” found a vulnerability in the Trello web management and now with a simple dork is possible to query to mine passwords from dozens of public Trello boards.
Our story begins form @Trello Twitter account where we read:
“Trusted by millions, Trello is the visual collaboration tool that creates a shared perspective on any project.” Yes, “trusted by millions”: but those millions probably didn’t understand the meaning “Public” of the Trello Boards, which they used as “Private” space while they are not.
In fact now, even trusting Trello, millions of users risk having their personal data exposed – including credential, private information, reserved information of their projects. In fact, they are now, while we are writing, having they sensitive data exposed on the Internet, thanks to a dork that can be easily used with Google.
The author of the discovery is Kushagra Pathak who talks about him as a Cyber-security enthusiast in his Twitter profile @xKushagra and has reported this incredible research written in his truly amazing blog post.
A few days ago, as he says, while researching a Bug Bounty program for Jiira with a simple dork like this:
has, inputting “trello.com” in the [company_name] place, made an amazing discovery: Google query returns Trello Boards where are published every kind of information.
Giving a better look at the results he “found that a lot of individuals and companies are putting their sensitive information on their public Trello Boards.”. Yes, it’ amazing but happened: what kind of information they have put on the Trello Boards? “Information like unfixed bugs and security vulnerabilities, the credentials of their social media accounts, email accounts, server and admin dashboards”, all this has been indexed by all the search engines so they can easily find them. He twitted this
#bugbountytip #osint: Search for public Trello boards of companies, to find login credentials, API keys, etc. or if you aren’t lucky enough, then you may find companies’ Team Boards sometimes with tasks to fix security vulnerabilities
— Kushagra Pathak (@xKushagra) April 25, 2018
So digging in the details he “went on to modify the search query to focus on Trello Boards containing the passwords for Gmail accounts.”
With this simple dork the result was really incredible:
Many passwords in clear were repowered by Google as shown in the following figure.
So Trello Boars have been under a huge misunderstanding: they were “Public” borders not Private ones, but their users didn’t know it, or they didn’t consider it.
Then some user used the public Trello Boards as “as a fancy public password manager for their organization’s credentials.”, as Kushagra Pathak writes.
Then every kind of the search is then possible: by email (AoL, Yahoo, Mail.com) by protocol (SSH, FTP), everything is possible to search even business emails, social media accounts, website analytics, Stripe, AdWords accounts.
At this point, I have contributed to spread the info around the world.
#Trello is an online tool for managing projects and personal tasks and with a dork is possible to exfiltrate business emails, Jira credentials, and sensitive internal information of Bug Bounty Programs.
Via @xKushagra https://t.co/p3J9bWXHpZ pic.twitter.com/ANhNv1b86Q
— Odisseus (@_odisseus) May 11, 2018
Kushagra Pathak has also discovered almost than 25 Companies were leaking very sensitive information and, as a proven Ethical Hacker, he reported quickly the Trello vulnerability to them, facing a very tedious and challenging task.
The only ironic side of this story is that to find the right person or the right contact mail it has been easy: they were all on the Trello Boards.
There is a less ironic thing: what about the Bug Bounty? Our hero, who discovered this vulnerable, has found among the exposed companies one company running a Bug Bounty Program, but he hasn’t be rewarded at all: “Unfortunately, they didn’t reward me because it was an issue for which they currently don’t pay”, he said.
About the Author: Odisseus
Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing and development.
(Security Affairs – Google Dork, data leak)