How Secure Are Your Projects on Trello?

The CybelAngel platform detects data leaks on a variety of sharing communities, including GitHub, paste sites, and importantly, Trello. Trello describes itself as an “easy, free, flexible, and visual way to manage your projects and organize anything.” CybelAngel has scanned thousands of “boards” on Trello, a board being the main webpage tied to a project. Unfortunately, on boards that are clearly publicly accessible, we often see sensitive information exposed, suggesting that many Trello users are not sufficiently aware of the cybersecurity issues Trello presents, and don’t understand the value of the data they share publicly. Below are a few examples of bad practices we found.

Sharing credentials

Trello “cards” (entries that make up a board) are commonly used as simple post-its: raw information easy to find and copy/paste. Many users not only post operating data but also confidential data, such as passwords, access codes, etc. Some data may not be sensitive in and of itself, but can enable hackers to access confidential environments and eventually access sensitive data, such as personally identifying information (PII).  

  The data available to such threat actors could be even more sensitive. If threat actors obtain admin access to a WordPress blog, they can command execution remotely. They can edit the WordPress theme to add some PHP code or install a WordPress plugin to facilitate accessing files on the server.  

 

API access

The CybelAngel platform often finds API keys exposed on code collaboration platforms like Github. CybelAngel also often finds such sensitive information on Trello. Even though companies provide several secure channels for their employees to collaborate, developers sometimes prefer to use Trello to exchange information with their colleagues. We observe that UX design collaboration on Trello often results in information exposure. Many companies forbid API users to share API access credentials, but regrettably developers bypass these rules.  

 

 

Revealing your weaknesses

Before becoming a place where employees negligently expose confidential information, Trello was a project management tool. Accordingly, it stores all kinds of information about a company’s project activities. Securing servers is a good cybersecurity practice for every company, but it is useless if employees share confidential information on a platform available to everyone. More importantly, CybelAngel finds a lot of boards revealing companies’ cybersecurity vulnerabilities. The screenshots below are strong examples:  

 

 

 

 

What are the solutions?

Some employees do not understand the value of the data they share. Not everybody can think as a threat actor would and see the obvious dangers of sharing information online. Educating employees on this topic is the first way to protect your data. Since these leaks are a matter of negligence, companies must train their employees regularly. Our internal studies show that the vast majority of data leaks come from contractors and other third parties that companies deal with. Companies often do not have bandwidth to educate their employees or their third parties by themselves. At CybelAngel, we believe that data leaks are inevitable, but that the damage is optional. Our platform scans the internet for data exposures with a comprehensive approach, monitoring all sharing platforms, including Github, paste sites, and Trello. We can detect, in real time, public boards disclosing your current vulnerabilities or exposing credentials carelessly left accessible. If you’d like to learn more about CybelAngel’s data leak monitoring across Trello boards and other potentially vulnerable social sharing platforms, request a demo today.