Open Source Intelligence (OSINT) is the practice of using publicly available data about a target company or person. In our field of work it’s critical because it gives you all the juicy details you can later turn into a pretext. Later fraud attempts often stem from data that was gathered easily from the internet.
Whilst almost all online applications leak some level of data, it’s important we manage the issue and occasionally pick fault when there is more to be done to prevent data being nefariously used. We have spent some time looking at Trello – it’s a popular online project management app being used by companies to collate documents and their plans.
When we started looking at the privacy issues with Trello in 2016 there were some real problems regarding OSINT, I am glad to see they have ironed them out. But the journey to fully secure their customers is far from over. Recent high profile articles suggest the issue is still very much a concern.
Let us explain what the issue is before moving on to some improvements that could help stop this nonsense quickly and cleanly.
So nothing new here, you put something on the internet and Google will index it. All the things that people place on the internet that are publicly available could end up displayed as a search result someday in the future.
So by using ‘google dorks’ we can be quite selective in what we search for. These searches make it easy to discover what is public on Trello.
Pulling data from Google
Let’s have a look for a few servers with Remote Desktop Protocol enabled that could be used to leverage further attacks:
site:trello.com “RDP” + “Password”
This yields RDP credentials, there is no way to determine if they work or if they are valid without going past what is classified as OSINT but we confirmed many of the usernames were linked to current employees identified on LinkedIn.
So RDP is OK but these days it feels like you’re really in the driving seat with TeamViewer. Surely Trello would be looking for these boards and removing them? Well it seems not:
site:trello.com “TeamViewer” + “password”
Within seconds you have login details that are capable of remotely controlling a businesses computers. Again, keeping this legal we don’t validate credentials but we can say some boards were updated recently.
Sadly for most criminals all these leaked details and access to a hot RDP seat are old hat. When you’ve got a malicious intent to make money, you need data. Lots of data.
site:trello.com “db_user” + “password”
Provides you access to a range of databases, many in production that are being targeted with these techniques by people from all over the world.
Won’t criminals just start doing this now?
Well firstly allow me to clarify the details in this blog are nothing new. Google dorks for Trello have been openly shared shortly after the time they started revealing useful data. In the vein hope of helping, we’ve even spent a considerable amount of time behind the scenes trying to rectify the problems we have discovered. Our favourite success story by far was an organisation that had various Trello cards. They were organised by priority, so right amongst passwords and invoices and tenders we see the low priority cards. We noticed two cards ‘GDPR’ and ‘Register with the ICO’ that had recently been moved from high priority, to low. To be watching this bad choice from the poor companies public Trello board was tragic. They and many others took heed of our emails and restricted public access.
Blindingly obvious really when you think about it for longer than 10 minutes. The fault isn’t with Google, that’s just Google doing its job. The fault isn’t so much with Trello, public boards are a feature. So the fault almost entirely resides with the end user of the board who decides to make sensitive details public.
Could Trello do more – Yes! One suggestion from us would be analysing a boards content when the public switch is flicked and displaying a warning “Your board might contain passwords or sensitive data” if they were really being clever maybe a dictionary of words like db, password, CVV, invoice, login could be used to make it even harder to make them public. Then there is the current offenders… many simply don’t know their boards are public. Trello have the capability to trawl Google like we did and link public boards up to email addresses, they could then issue warnings or alter the privacy settings themselves.
Lastly on Trello’s to do list, please please please give us nerds a bloody button! Up in the board details section, a little greyed out ‘report an issue with data in this public board’ this can file a review internally if a few people press it. So we don’t have to dig through someone’s private correspondence in order to reach out and offer friendly advice… far less creepy from our perspective.
I know it’s easy to write a blog and ask a giant brand to alter what it does, but come on – people shouldn’t be able to go from Google to government secrets in a few clicks like this.