In another example of how employees can defeat the best security strategies, a researcher has discovered Canadian and British government staffers misconfigured some of their web-based Trello project management software and exposed details of software bugs and security plans, as well as passwords for servers and other sensitive information.
The incidents were reported Thursday by The Intercept.
Trello allows users to create cards of lists for managing projects. The cards can also include messages for team members. Normally Trello is configured to private by default, says the service provider. However, security researcher Kushagra Pathak found
— 25 Canadian government boards exposed to the public Internet.
On those boards was a range of information including remote file access credentials; login details for the Eventbrite event-planning platform; a link to an Excel file about managing control of a department’s web applications; discussion of additional security testing in the aftermath of a recent security incident; links to a Google folder with research documents; a security working group’s board with tasks related to audits and security testing; and a bug discussion.
Pathak reported his discovery to the Canadian Cyber Incident Response Centre, which removed public access to the boards.
In a statement to The Intercept a Canadian government spokesperson said “Government of Canada employees are being reminded of their obligation never to communicate or store sensitive information on Trello boards or any other unauthorized digital tool or service.”
— 25 public Trello boards belonging to different U.K. government departments.
These included login credentials to a U.K. government account on a domain registrar; emails that had been pasted onto the boards; a link to a snippet of backend code of a government site; login information for a server administration tool known as CPanel; a discussion of how to prevent personal information from being exposed to Google’s web analytics platform; and details about an earlier incident in which such information was exposed to the platform.
Pathak let the U.K. National Cyber Security Centre know of the exposure.
Why government Trello boards would be configured to be public — other than a mistake — is an unanswered question. Pathak is quoted as speculating that it’s slightly easier to make a board public and share the URL internally than it is to add people to a Trello team of authorized viewers.
Finding publicly-exposed Trello boards through a search engine isn’t hard, he is quoted as saying. However, he admitted that in many cases, it can be very difficult to identify the organization to which a board belongs.
The incidents show how important privacy has to be part of a written security policy, and followed up with application audits, Forrester Research security analyst Joseph Blankenship said in an interview this morning. He also agreed that one problem may be is that staff don’t see Trello as a medium for sensitive information. The key, he added, is strict policy for those who have access to the application’s privacy control.
This isn’t the first report on misconfigured Trello systems. In May security reporter Brian Krebs said he notified a number of companies, including Uber, that their Trello boards were exposed to the public Internet. In June he and a researcher with the security firm Flashpoint found more. In some cases employees had put login credentials in messages sent to other staffers.