TNW Conference 2022 will be bigger, bolder, and better! Get your tickets now >>

The heart of tech

This article was published on May 10, 2018

    PSA: Saving passwords in public Trello boards is a really, really bad idea

    Does it really need to be said?

    PSA: Saving passwords in public Trello boards is a really, really bad idea
    Matthew Hughes
    Story by

    Matthew Hughes

    Former TNW Reporter

    Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twi Matthew Hughes is a journalist from Liverpool, England. His interests include security, startups, food, and storytelling. Follow him on Twitter.

    If you put something on a publicly-accessible webpage, you should assume that it can (and eventually will) be read by another person. By that, I mean don’t put things you’d want to keep secret — like passwords and API credentials — in places where someone might eventually find them.

    Sounds obvious, right? That’s because it is.

    That said, one security researcher stumbled upon a troubling trend of organizations storing sensitive credentials in Trello documents, no less. An attacker could easily find these with little more than a Google query.

    The researcher, Kushagra Pathak, found a veritable treasure-trove of credentials. These include usernames and passwords for emails and social media accounts, as well as stuff that’s arguably more serious, like SSH credentials, and API secrets for a variety of online services, like Amazon Web Services.

    Finding these were as easy as typing into Google things like:

    inurl:https://trello.com AND intext:ssh AND intext:password
    

    Astonishingly, Pathak also encountered some organizations using public Trello boards to manage their bug bounty programs. This is worrying because they contain a list of ongoing and unresolved security issues. An adversary could use this information to easily enumerate the weaknesses within a website or system and break in. They could cause some serious damage.

    Pathak told TNW he encountered 40 instances where companies were accidentally leaking credentials via public boards. Following proper ethical disclosure practices, he informed the relevant parties. Many are yet to resolve the issue though, and none have paid him a bug bounty — which is pretty stingy.

    You can read the full details of the issue on Pathak’s blog post for FreeCodeCamp. It’s important to stress that this isn’t actually an issue with Trello, but rather with people improperly using the service’s public boards to store sensitive credentials.

    As a wise man once said, “there’s no patch for human stupidity.”

    Get the Security newsletter