Saving passwords in public Trello boards is a really, really bad idea



If you put something on a publicly-accessible webpage, you should assume that it can (and eventually will) be read by another person. By that, I mean don’t put things you’d want to keep secret — like passwords and API credentials — in places where someone might eventually find them.

Sounds obvious, right? That’s because it is.

That said, one security researcher stumbled upon a troubling trend of organizations storing sensitive credentials in Trello documents, no less. An attacker could easily find these with little more than a Google query.

The researcher, Kushagra Pathak, found a veritable treasure-trove of credentials. These include usernames and passwords for emails and social media accounts, as well as stuff that’s arguably more serious, like SSH credentials, and API secrets for a variety of online services, like Amazon Web Services.

Finding these were as easy as typing into Google things like:

inurl: AND intext:ssh AND intext:password

Astonishingly, Pathak also encountered some organizations using public Trello boards to manage their bug bounty programs. This is worrying because they contain a list of ongoing and unresolved security issues. An adversary could use this information to easily enumerate the weaknesses within a website or system and break in. They could cause some serious damage.

Pathak told TNW he encountered 40 instances where companies were accidentally leaking credentials via public boards. Following proper ethical disclosure practices, he informed the relevant parties. Many are yet to resolve the issue though, and none have paid him a bug bounty — which is pretty stingy.

You can read the full details of the issue on Pathak’s blog post for FreeCodeCamp. It’s important to stress that this isn’t actually an issue with Trello, but rather with people improperly using the service’s public boards to store sensitive credentials.

As a wise man once said, “there’s no patch for human stupidity.”


Source link

Next Post

SEO Best Practices for Hospitals and Care Providers

[ad_1] Let’s face it: Not a lot of people are turning to the phone book to find a hospital or care provider these days. They’re hopping on the internet and searching for a type of service near them. This is where search engine optimization comes into play for your hospital […]

You May Like