Recently a diligent security professional, Kushagra Pathak, discovered a surprising amount of sensitive data on Trello. He didn’t use an exploit kit available on the dark web, engage in social engineering or exploit a known vulnerability. @xKushagra simply used a somewhat well-known dork to search the web: inurl. The lack of sophistication needed to discover the information combined with the sensitivity of the data is troubling.
Inurl is used in search queries (most commonly in Google) and very easy to execute. The following query can return passwords (potentially in the clear) associated with the domain (example uses thoughtfultechnology.com).
inurl:https://trello.com AND intext:@thoughtfultechnology.com AND intext:password
You can substitute the domain to search for any organization. I executed the query for some of my customers as a courtesy and informed them when I found sensitive information. They appreciated the feedback. Think about it, you can also substitute Trello with any of the other collaboration tools – Slack, Stride, and GitHub (there are many more).
The issue isn’t these tools, it’s how they are used. Users must understand that secrets such as passwords and private keys must not be posted on any collaboration tool (public or private mode). They should be stored using tools intended for that purpose: a secrets manager. Users don’t have a malicious intent or purposefully expose secrets. They need to be reminded of the implications of their actions and how to properly handle this data. Product vulnerabilities, credentials and detailed configurations don’t belong on publicly available sites. These concepts must be included in training and awareness programs.
If this isn’t addressed organizations will continue to be easy targets for hackers with malicious intent. Reconnaissance becomes a breeze when credentials are publicly available.
Kushagra’s post describing the experience is recommended reading (5 minute read). He should be commended for his work.