O Trello is a tool inspired by the kanban method that allows you to create task lists organized on cards and boards (boards). This project management service is used by more than 35 million people and 80% of the companies in the Fortune 500 ranking. To use it, it is necessary to take some precautions: if the board is public, it can expose sensitive data to Google like passwords and credit card numbers.
The project manager Matt Vincent, reader Tecnoblog, warned us about this problem: some Brazilian Trello users leave login credentials, passwords, card numbers and other confidential data on public boards, unaware that they are indexed by Google. This means that a search for “password”, “password”, “token” and other similar terms brings results with this type of sensitive information.
We found a board with login and password information for Google, Vivo and aviation company websites. One of the cards even includes a credit card number with an expiration date and verification code (CVV).
In another table, found by Mateus, it is possible to find Instagram and Facebook login and password for customers of a Brazilian digital communication company. On a third board, a marketing company exposed the card data for a customer who purchased an online advertising campaign.
Trello defines every board as “private” by default
This is not a problem exclusive to Brazil: last year, security researcher Brian Krebs found a public board created by Uber developers in the Asia-Pacific region, including passwords and links to internal Google Docs documents. The company defined the framework as private and warned two South American users whose data was exposed.
At the time, Trello co-founder Michael Pryor recalled that boards are set to “private” by default, and that they need to be manually changed to “public” if the user so wishes. “We strive to ensure that public frameworks are created intentionally, and we create safeguards to confirm the user’s intention before making it publicly visible,” he told the Krebs on Security.
In the FAQ, Trello explains that a public frame “is visible to anyone on the internet and will appear on search engines like Google … anyone with the link can see it, even if they don’t have a Trello account”.
After the board is indexed, it can be difficult to remove it: “Once the frame becomes private, we will notify the correct link status to Google (ie a 404 error), but Google needs to know that this is permanent”. For this reason, Trello recommends using Google support directly to remove the link.
UN and British government had data on public boards
Also last year, researcher Kushagra Pathank found 60 public boards in Trello with confidential United Nations (United Nations) information. The cards included links to files on Google Docs that could be accessed by anyone.
“We contacted all employees, reminding them of the risks of using a third-party platform to share content, and taking the necessary precautions to ensure that no confidential content is public,” a UN spokeswoman told The Intercept.
Something similar happened with the UK government: 10 public Trello boards exposed secret data, such as anti-terrorism measures, over four years. THE ZDNet note that Trello is a major source of data leaks, as well as the Amazon S3 cloud service and ElasticSearch installations.
These services did not leak data because of security holes: they were just poorly configured, just like Trello’s public boards. If you use the service, learn how to change the visibility of a board – and avoid saving passwords in plain text.
Thank you, Mateus!