By misconfiguring pages on Trello, a popular project management website, the governments of the United Kingdom and Canada exposed to the entire internet details of software bugs and security plans, as well as passwords for servers, official internet domains, conference calls, and an event-planning system.
The U.K. government also exposed a small quantity of code for running a government website, as well as a limited number of emails. All told, between the two governments, a total of 50 Trello pages, known on the site as “boards,” were published on the open web and indexed by Google.
The computer researcher who found the sensitive material, Kushagra Pathak, had disclosed just this past April a wide swath of additional private data exposed to the public on Trello, which is widely used by software developers, among others. That earlier disclosure revealed how, on dozens of public Trello boards run by various organizations and individuals, the information available included email and social media credentials, as well as specific information on unfixed bugs and security vulnerabilities. Pathak even found an NGO sharing login details to a donor management software database, which in turn contained, he said, personally identifiable information and financial records on donors. In both the April and new security research, the sensitive data on Trello was tracked down starting with a simple Google query.
The data exposures underscore how easy it has become to improperly leak sensitive data in the era of cloud computing. More broadly, they show how the use and development of software has become a complex endeavor, involving a wide range of independent online systems, and how this complexity itself represents a security risk, encouraging users and developers to take shortcuts intended to cut through the morass. Tools like Trello can help master the tangle of development in a safe and constructive way, but can also be misused.
He hopes to draw attention to what he believes is a major issue: the proliferation of sensitive information on public Trello boards. It is incredibly easy to search for such boards on Google.
In his new research, Pathak first discovered 25 public Trello boards belonging to different U.K. government departments. These included login credentials to a U.K. government account on a domain registrar, emails that had been pasted onto the boards, a link to a snippet of backend code of a government site, and information on bugs, albeit not bugs disclosing security issues. Also included were boards with conference call details and access codes, login information for a server administration tool known as CPanel, a discussion of how to prevent personal information from being exposed to Google’s web analytics platform, and details about an earlier incident in which such information was exposed to the platform. Pathak reported this through the U.K. National Cyber Security Centre, which identified the boards and removed most of them within two or three days.
Shortly thereafter, Pathak found 25 Canadian government boards that had even more sensitive information, such as remote file access, or FTP, credentials, and login details for the Eventbrite event-planning platform. Other boards included a link to an Excel file about managing control of web applications, discussion of additional security testing in the aftermath of a recent security incident, links to a Google folder with research documents, a security working group’s board with tasks related to audits and security testing, and a bug discussion. Pathak reported these to the Canadian Cyber Incident Response Centre, which also took prompt action to remove the boards, most of which were down within a week.
Pathak began researching computer science and hacking when he was young, eventually teaching himself to program. He hopes to draw attention to what he believes is a major issue: the proliferation of sensitive information on public Trello boards. It is incredibly easy to search such boards on Google; one could recently find and search within them, for example, using the search modifier like “inurl:https://trello.com/b/,” which restricts Google to finding only results whose address begins with that text. Trello cards can be searched with the modifier “inurl:https://trello.com/c/” — this yields thousands (if not millions) of results, and many contain sensitive information.
Pathak said that in many cases, it can be very difficult to identify the organization to which a board belongs. “I literally spent hours finding the contact details of organizations to which a board belonged so I could report them,” he told me.
Trello co-founder Michael Pryor provided a written statement highlighting the company’s privacy safeguards.
“Trello boards are set to private by default and must be manually changed to public by the user,” the statement read. “We strive to make sure public boards are being created intentionally and have built in safeguards to confirm the intention of a user before they make a board publicly visible. Additionally, visibility settings are displayed persistently on the top of every board.”
In a Medium comment, Pathak said that he has seen many organizations using public Trello boards to share useful information that they want to be listed in the search results, so there are good reasons to expose some boards. But he also said it’s possible that some boards are made public due to sheer laziness: it’s slightly easier to make a board public and share the URL internally than it is to add people to a Trello team of authorized viewers.
It’s true, as Pryor stated, that Trello’s boards are set to private by default and that when a user sets a board to public, the visibility setting and what it entails (including search engine indexing) is clearly explained. But Pathak had three additional suggestions to these built-in safeguards: Trello could highlight the visibility in red if a board is set to public; it could show a pop-up notice to users when they create or change board visibility to public in order to let them know that this can be viewed by anyone with the link and is indexed by search engines; and it could add to the Trello interface that automatically checks to try and detect if a user has posted a username or password to a public board.
Informed of Pathak’s suggestions, Pryor said that Trello is looking at other similar cloud apps and how they balance users’ quite often safe decision to share a set of information publicly with the desire to protect against inappropriate sharing of sensitive data. In the meantime, security researchers who find additional boards with sensitive information can send them to email@example.com, and Trello will get in contact with the owner and close them down if needed, according to Pryor.
U.K.’s Government Digital Service, which declined to comment for publication, provided its staff with internal communication guidance to make sure it is using online tools such as Trello appropriately; the guidance states that no personal or sensitive data should be published on Trello. The service also has an Information Assurance Team to guide staff on the appropriate use of online tools.
A written statement provided by a spokesperson for the government of Canada said, “The Government of Canada recognizes that open access to modern digital tools is essential to transforming how public servants work and serve Canadians. … Departments and agencies of the Government of Canada must also apply adequate security controls to protect their users, information, and assets. This includes ensuring that their users are appropriately educated about their obligation to safeguard information and assets and to never use external web services and tools for communicating or storing sensitive information unless the service is approved by the appropriate security and technical authorities. Government of Canada employees are being reminded of their obligation never to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service.”