Note: I used a Google dork query, sometimes referred to as a dork. It is a search string that uses advanced search operators to find information that is not readily available on a website. — WhatIs.com
I was so shocked and amazed 😲
So why was this a problem? Well, Trello is an online tool for managing projects and personal tasks. And it has Boards which are used to manage those projects and tasks. The user can set the visibility of their boards to Private or Public.
After finding this flaw, I thought — why not check for other security issues like email account credentials?
I went on to modify my search query to focus on Trello Boards containing the passwords for Gmail accounts.
inurl:https://trello.com AND intext:@gmail.com AND intext:password
And what about SSH and FTP?
inurl:https://trello.com AND intext:ftp AND intext:password
inurl:https://trello.com AND intext:ssh AND intext:password
🔎 What else I found
After spending a few hours using this technique, I uncovered more amazing discoveries. All while I kept on changing my search query.
Some companies use
Public Trello boards to manage bugs and security vulnerabilities found in their applications and websites.
People also use Public Trello boards as a fancy public password manager for their organization’s credentials.
Here’s another example:
I posted about this in a private Slack of bug bounty hunters and a infosec Discord server. I also tweeted about this right after discovering this Trello technique. The people there were as amazed and astonished as I was.
Then people started telling me that they were finding cool things like business emails, Jira credentials, and sensitive internal information of Bug Bounty Programs through the Trello technique I shared.
Almost 10 hours after discovering this Trello technique, I started testing companies running Bug Bounty Programs specifically. I then began with checking a well-known ridesharing company using the search query.
inurl:https://trello.com AND intext:[company_name]
I instantly found a Trello board that contained login details of an emplyee’s business email account, and another that contained some internal information.
To verify this, I contacted someone from their Security Team. They said they had received a report about the Board containing email credentials of an employee right before mine and about the other board containing some internal information. The security team asked me to submit a complete report to them because this is a new finding.
Unfortunately, my report got closed as a
Duplicate. The ridesharing company later found out that they had already had received a report about the Trello board I found.
In the coming days, I reported issues to 15 more companies about their Trello boards that were leaking highly sensitive information about their organizations. Some were big companies, but many don’t run a Bug Bounty Program.
Update —19 September 2018:
In the recent months, I had discovered a total of 50 Trello Boards of the British and Canadian governments containing internal confidential information and credentials. The Intercept wrote a detailed article about it here.
A Self-proclaimed tech wizard part Executive part entrepreneur and a geek,
Stas hold a Bs.c in Hardware Engineering and 10 years of Experience as a Software Engineer. A highly-motivated individual with a real passion for making things happen, always seeking out new tech and business challenges.