Craig Jones, global cybersecurity operations director at Sophos, has discovered that Trello, an app used for organizing personalized to-do lists and coordinating team tasks, exposed the personally identifiable information (PII) data of its users who made their Trello boards “public”.
When the news about office space company Regus exposing employee performance ratings through a public Trello board broke, Jones was quick to analyze the root cause of this expose, being a regular user of the app himself. He found that the default configuration of Trello boards is set to “private”, but many users change this setting to “public”. Once set to the public, all the information available on a user’s Trello board can be viewed by anyone. Search engines such as Google also indexed public Trello boards as these are HTML pages, making it simple for anyone to uncover the boards’ contents using a specialized search called a ‘dork’.
Jones discovered a host of PII data mentioned on the Trello boards including names, emails, dates of birth, ID numbers, bank account information. A company’s HR board contained details such as a job offer to a potential employee, including their salary, bonus and contractual obligations. While researching, Jones also came across an Australian Pub’s Trello board that exposed details of customer fraud, customer Gmail addresses and social media passwords, and API keys.
Knowing the criticality of the vulnerability and acting responsibly, Jones reported his findings to respective companies as well as Trello to reset their App board settings to “private”. He also recommends contacting Google to take down already indexed pages as content remains cached on search engines for a certain time period.
Lack of Security Protection
Researchers found no security protection on this AWS database, also known as bucket, and thus were able to see all the files stored in it. The files contained a wide range of PII, including names, addresses, phone numbers, dates of birth, gender, national insurance number–everything that a threat actor requires to complete identity theft, fraud, or any cyberattack targeted towards the user or against him. “It’s everything you need to steal someone’s identity, to open a bank account in their name, or a lot of other malicious things,” the researchers said.