![]() Trello cards can be searched with the modifier “inurl: ” - this yields thousands (if not millions) of results, and many contain sensitive information. It is incredibly easy to search such boards on Google one could recently find and search within them, for example, using the search modifier like “inurl: ,” which restricts Google to finding only results whose address begins with that text. He hopes to draw attention to what he believes is a major issue: the proliferation of sensitive information on public Trello boards. Pathak began researching computer science and hacking when he was young, eventually teaching himself to program. Pathak reported these to the Canadian Cyber Incident Response Centre, which also took prompt action to remove the boards, most of which were down within a week. Other boards included a link to an Excel file about managing control of web applications, discussion of additional security testing in the aftermath of a recent security incident, links to a Google folder with research documents, a security working group’s board with tasks related to audits and security testing, and a bug discussion. Shortly thereafter, Pathak found 25 Canadian government boards that had even more sensitive information, such as remote file access, or FTP, credentials, and login details for the Eventbrite event-planning platform. National Cyber Security Centre, which identified the boards and removed most of them within two or three days. Also included were boards with conference call details and access codes, login information for a server administration tool known as CPanel, a discussion of how to prevent personal information from being exposed to Google’s web analytics platform, and details about an earlier incident in which such information was exposed to the platform. ![]() government account on a domain registrar, emails that had been pasted onto the boards, a link to a snippet of backend code of a government site, and information on bugs, albeit not bugs disclosing security issues. These included login credentials to a U.K. In his new research, Pathak first discovered 25 public Trello boards belonging to different U.K. It is incredibly easy to search for such boards on Google. Tools like Trello can help master the tangle of development in a safe and constructive way, but can also be misused. More broadly, they show how the use and development of software has become a complex endeavor, involving a wide range of independent online systems, and how this complexity itself represents a security risk, encouraging users and developers to take shortcuts intended to cut through the morass. The data exposures underscore how easy it has become to improperly leak sensitive data in the era of cloud computing. In both the April and new security research, the sensitive data on Trello was tracked down starting with a simple Google query. Pathak even found an NGO sharing login details to a donor management software database, which in turn contained, he said, personally identifiable information and financial records on donors. That earlier disclosure revealed how, on dozens of public Trello boards run by various organizations and individuals, the information available included email and social media credentials, as well as specific information on unfixed bugs and security vulnerabilities. The computer researcher who found the sensitive material, Kushagra Pathak, had disclosed just this past April a wide swath of additional private data exposed to the public on Trello, which is widely used by software developers, among others. All told, between the two governments, a total of 50 Trello pages, known on the site as “boards,” were published on the open web and indexed by Google. government also exposed a small quantity of code for running a government website, as well as a limited number of emails. By misconfiguring pages on Trello, a popular project management website, the governments of the United Kingdom and Canada exposed to the entire internet details of software bugs and security plans, as well as passwords for servers, official internet domains, conference calls, and an event-planning system.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |