Back to Home

A story about how I, using Google, found passwords on dozens of Trello public boards / RUVDS.com blog

Information Security

The story of how I, using Google, found passwords on dozens of Trello public boards

Original author: Kushagra Pathak
  • Transfer
Kushagra Patak deals with information security. On April 25, he discovered that many private individuals and companies posted classified information on Trello's public message boards. In particular, we are talking about information regarding uncorrected errors and vulnerabilities in programs, about the credentials of accounts on social networks and in postal services, about names and passwords for access to servers and admin control panels. All this, as well as other similar information, was on Trello's publicly accessible bulletin boards that index all search engines, allowing anyone to find this information. The material, the translation of which we publish today, will focus on how this find was made.

image

Find History


I was looking for instances of Jira owned by companies that offer Bug Bounty programs . For this, the following search query was used:

inurl:jira AND intitle:login AND inurl:[company_name]

I want to draw your attention to the fact that I used the so-called Google dork queries . Such queries are search strings that include advanced search operators . They are used to search for information that is indexed by search engines, but, during normal work with sites, is not available.

During the experiments, I, in the above request, instead [company_name], entered Trello. Google produced several results - links to Trello public boards. They contained data for connecting to some Jira instances. It happened at 8:19 am UTC.

I was completely shocked by this find.

Why is this a problem? The fact is that TrelloIs an online tool designed to manage projects and personal tasks. It has entities called boards, which are used to manage projects and tasks. The user can customize the visibility of their boards, in particular by setting it to Приватнаяor Публичная.

After I discovered the above problem, I thought it would be interesting to look for similar vulnerabilities related to the insecure storage of other data, say, information for accessing mailboxes.

Then I modified the request so that it was aimed at finding Trello boards containing passwords for Gmail accounts.

inurl:https://trello.com AND intext:@gmail.com AND intext:password

That's what the search engine gave out.


Finding Trello Whiteboards with Credentials for Accessing Mailboxes

What about SSH and FTP?

inurl:https://trello.com AND intext:ftp AND intext:password
inurl:https://trello.com AND intext:ssh AND intext:password

Something was found by these requests.


Search Trello boards for accessing SSH and FTP accounts

Continuation of searches


After experimenting with queries for several hours, I discovered other interesting things. They were found by modifying the queries.

Some companies use Trello public boards to manage work related to bugs and vulnerabilities found in their applications or websites.


Vulnerability Information Boards

In addition, ordinary people use Trello public boards as wonderful public password managers for the credentials of the companies in which they work.

Among the examples of what we managed to find are data for access to servers, CMS-systems, CRM-systems, web analytics systems. There were also the names and passwords of corporate mailboxes, accounts in Stripe, in AdWords, in social networks. And this is not a complete list of finds.


Trello public boards that contain classified information

Here's another example.


Information about a database containing personal data and financial information got into the public domain.

Before I managed to find all this, I did not do research aimed at any particular company or Bug Bounty program.

However, nine hours after I discovered this Trello vulnerability, I found the contact details of about 25 companies that leaked confidential data and informed them of the problem. By the way, finding this contact information was not so simple.

I also recorded in a private Slack channel, which is used by those who participate in Bug Bounty programs, and in a Discord channel on information security. I, immediately after I found the vulnerability, posted the corresponding tweet. The reaction of those who found out about it was like mine.

Then I began to receive messages from those who took advantage of the vulnerability I discovered to find data for access to corporate mailboxes, to Jira instances, and to other classified information within the framework of Bug Bounty programs.


Audience Response to Vulnerability Reporting

About 10 hours after the vulnerability described here was discovered, I focused on researching companies that had Bug Bounty programs. Then - I checked one well-known company that organizes vehicle sharing using an inquiry of the following form:

inurl:https://trello.com AND intext:[company_name]

I immediately found a Trello whiteboard containing data for accessing the corporate mailbox of some employee of this company, and another whiteboard with information that was clearly not intended for others.

In order to make sure that what I found was really secret data that accidentally went into the public domain, I contacted an employee from the security service of this company. I was told that they were already informed about these problems, but asked to send a full report on the detected vulnerabilities. Unfortunately, my report was closed as a second one, as the company later discovered that it had already received a report on the same vulnerability. Then I reported similar problems in another 15 companies. Some of them were large organizations, but many of them did not have Bug Bounty programs. True, one of them had such a program, and I reported a problem found within the framework of this program. Unfortunately, I did not receive rewards from them, since the problem I found did not apply to those vulnerabilities for which they were willing to pay to detect.

Dear readers! Have you already checked your boards at Trello for leakage of confidential information?

Read Next