For example, Shear said Trello’s platform could perform some type of automated analysis that looks for specific keywords (like “password”) and if the page is public display a reminder to the board’s author about how to make the page private. If a board is Public, anyone with the link to the board can see it.įlashpoint’s Shear said Trello should be making a more concerted effort to proactively find sensitive data exposed by its users. If a board is Private, only members of that specific board can see it. If a Trello board is Team Visible it means any members of that team can view, join, and edit cards. But we are trying to see if we can speed up the time it takes Google to realize that some of the URLs are no longer available.” This is an automated, immediate action that happens upon users making the change. “With regard to the search-engine indexing, we are currently sending the correct HTTP response code to Google after a board is made private. “We have put many safeguards in place to make sure that public boards are being created intentionally and have clear language around each privacy setting, as well as persistent visibility settings at the top of each board,” a Trello spokesperson told KrebsOnSecurity in response to this research. Trello said it was working with Google and other search engine providers to have any cached copies of the exposed boards removed. Trello responded to this report by making private many of the boards referenced above other reported boards appear to remain public, minus the sensitive information. Other entities that inadvertently shared passwords for private resources via public Trello boards included a Chinese aviation authority the International AIDS Society and the global technology consulting and research firm Analysis Mason, which also exposed its Twitter account credentials on Trello until very recently. It’s not clear how the hijacker obtained her password, but it appears to have been on Trello for some time. One realtor from Austin, Texas who posted numerous passwords to her public Trello board apparently had her Twitter profile hijacked and defaced with a photo featuring a giant Nazi flag and assorted Nazi memorabilia. Apparently, this person re-used her Trello account password somewhere else (and/or perhaps re-used it from a list of passwords available on her Trello page), and as a result someone added a “You hacked” card to the assistant’s Trello board, urging her to change the password. One of my favorites is a Trello page maintained by a “virtual assistant” who specializes in helping realtors find new clients and sales leads. There appear to be a great many marketers and realtors who are using public Trello boards as their personal password notepads. Department of Health and Human Services (HHS) - that was leaking credentials. Shear’s sleuthing uncovered a public Trello page maintained by - the official Web site of the National Coordinator for Health Information Technology, a component of the U.S. The (now defunct) Trello page for the Maricopa County Department of Public Health.Įven federal health regulators have made privacy missteps with Trello. But until a few weeks ago the Trello page for Seceon featured multiple usernames and passwords, including credentials to log in to the company’s WordPress blog and iPage domain hosting. cybersecurity firm that touts the ability to detect and stop data breaches in real time. One particularly jarring misstep came from someone working for Seceon, a Westford, Mass. And they tracked it all via Trello pages.” You could see who all their clients were and see credentials for clients to log into their own sites. “We also found a Web development team that’s done a lot of work for various dental offices. “There’s a bunch of different IT shops using it to troubleshoot client requests, and to do updates to infrastructure,” Shear said. Shear said he’s amazed at the number of companies selling IT support services that are using Trello not only to store their own passwords, but even credentials to manage customer assets online. KrebsOnSecurity worked with Shear to document and report these boards to Trello. Amid his digging, Shear documented hundreds of public Trello boards that were exposing passwords and other sensitive information. Shear spent several weeks last month exploring the depths of sensitive data exposed on Trello. But individual users may be able to manually share personal boards that include personal or proprietary employer data, information that gets cataloged by Internet search engines and available to anyone with a Web browser.ĭavid Shear is an analyst at Flashpoint, a New York City based threat intelligence company.
0 Comments
Leave a Reply. |