Post-It Notes

How Secure Are Your Projects on Trello?

The CybelAngel platform detects data leaks on a variety of sharing communities, including GitHub, paste sites, and importantly, Trello. Trello describes itself as an “easy, free, flexible, and visual way to manage your projects and organize anything.” CybelAngel has scanned thousands of “boards” on Trello, a board being the main webpage tied to a project. Unfortunately, on boards that are clearly publicly accessible, we often see sensitive information exposed, suggesting that many Trello users are not sufficiently aware of the cybersecurity issues Trello presents, and don’t understand the value of the data they share publicly. Below are a few examples of bad practices we found.

Sharing credentials

Trello “cards” (entries that make up a board) are commonly used as simple post-its: raw information easy to find and copy/paste. Many users not only post operating data but also confidential data, such as passwords, access codes, etc. Some data may not be sensitive in and of itself, but can enable hackers to access confidential environments and eventually access sensitive data, such as personally identifying information (PII).  

Students sharing WiFi credentials for a network of their university. The IT department surely partitioned this network, but the system administrators do not know that anybody can find those credentials.
  The data available to such threat actors could be even more sensitive. If threat actors obtain admin access to a WordPress blog, they can command execution remotely. They can edit the WordPress theme to add some PHP code or install a WordPress plugin to facilitate accessing files on the server.  
Credentials identified.
 

API access

The CybelAngel platform often finds API keys exposed on code collaboration platforms like Github. CybelAngel also often finds such sensitive information on Trello. Even though companies provide several secure channels for their employees to collaborate, developers sometimes prefer to use Trello to exchange information with their colleagues. We observe that UX design collaboration on Trello often results in information exposure. Many companies forbid API users to share API access credentials, but regrettably developers bypass these rules.  

In its developer policies, Facebook asserts that you shouldn’t share publicly the access credentials for your Facebook application…
 
…but this screenshot shows that not everybody reads the guidelines!
 

Revealing your weaknesses

Before becoming a place where employees negligently expose confidential information, Trello was a project management tool. Accordingly, it stores all kinds of information about a company’s project activities. Securing servers is a good cybersecurity practice for every company, but it is useless if employees share confidential information on a platform available to everyone. More importantly, CybelAngel finds a lot of boards revealing companies’ cybersecurity vulnerabilities. The screenshots below are strong examples:  

A board revealing the organization’s MongoDB storage is exposed.
 
A board revealing that one of the organization’s applications is outdated.
 
What about sharing your future password?
 
Threat actors can learn here that spammers are exploiting a password reset feature to send emails and that they just need to use the name fields to do so.
 

What are the solutions?

Some employees do not understand the value of the data they share. Not everybody can think as a threat actor would and see the obvious dangers of sharing information online. Educating employees on this topic is the first way to protect your data. Since these leaks are a matter of negligence, companies must train their employees regularly. Our internal studies show that the vast majority of data leaks come from contractors and other third parties that companies deal with. Companies often do not have bandwidth to educate their employees or their third parties by themselves. At CybelAngel, we believe that data leaks are inevitable, but that the damage is optional. Our platform scans the internet for data exposures with a comprehensive approach, monitoring all sharing platforms, including Github, paste sites, and Trello. We can detect, in real time, public boards disclosing your current vulnerabilities or exposing credentials carelessly left accessible. If you’d like to learn more about CybelAngel’s data leak monitoring across Trello boards and other potentially vulnerable social sharing platforms, request a demo today.