Data exposures in web applications and cloud services are becoming more in fashion these days, and Trello is the...
latest service being used poorly in the enterprise.
According to an investigation reported by Brian Krebs, Flashpoint security analyst David Shear discovered hundreds of boards exposing data and passwords on Trello from government agencies, healthcare organizations and others. This follows news that large enterprises and government agencies accidentally set Amazon Web Services buckets and Google Groups to public.
By default, Trello boards are either password-protected or visible only to team members. However, it is possible to share boards with anyone on the web, and the contents of those boards can even be indexed by search engines.
Shear found organizations sharing logins and passwords on Trello for corporate WordPress accounts and iPage domain hosting accounts. The Maricopa County Department of Public Health in Phoenix exposed sensitive info, including how to navigate the organization's payroll system. Even the National Coordinator for Health Information Technology, which is part of the U.S. Department of Health and Human Services, was found to be leaking passwords on Trello.
Justin Jettdirector of audit and compliance for Plixer
James Lerud, head of the behavioral research team at Verodin, based in McLean, Va., called this incident "the latest in a long line of public exposures involving improper handling of credentials."
"There have been numerous examples of private keys out in the open on GitHub. It's pretty difficult for companies like Trello or GitHub to prevent this type of exposure; the responsibility lies with the users of these services," Lerud wrote via email. "Companies [that] use these types of services need to regularly audit what kind of data is being exposed to the public and not rely on a third party to discover problems."
Justin Jett, director of audit and compliance for Plixer, based in Kennebunk, Maine, said it is "an extremely dangerous practice to store credentials on public-facing sites or directories."
"Passwords should never be stored in a manner that could be perceived as plaintext. They should be stored in a secure and encrypted environment where data thieves aren't given a free pass to the data. The number of phishing attacks used to steal users' credentials continues to grow; we don't need to make it even easier for the thieves," Jett wrote via email.
"Many companies don't realize that they have employees storing confidential or sensitive information on public-facing sites, like Trello. Security teams often don't have the visibility they need to know when credentials have been compromised until after a data breach," Jett wrote. "In many cases, it likely comes down to a matter of educating users on best practices. Corporate training can aid the reduction of such blatant exposure of sensitive data."