If you put something on a publicly-accessible webpage, you should assume that it can (and eventually will) be read by another person. By that, I mean don’t put things you’d want to keep secret — like passwords and API credentials — in places where someone might eventually find them.
Sounds obvious, right? That’s because it is.
That said, one security researcher stumbled upon a troubling trend of organizations storing sensitive credentials in Trello documents, no less. An attacker could easily find these with little more than a Google query.
The researcher, Kushagra Pathak, found a veritable treasure-trove of credentials. These include usernames and passwords for emails and social media accounts, as well as stuff that’s arguably more serious, like SSH credentials, and API secrets for a variety of online services, like Amazon Web Services.
Finding these were as easy as typing into Google things like:
inurl:https://trello.com AND intext:ssh AND intext:password
Astonishingly, Pathak also encountered some organizations using public Trello boards to manage their bug bounty programs. This is worrying because they contain a list of ongoing and unresolved security issues. An adversary could use this information to easily enumerate the weaknesses within a website or system and break in. They could cause some serious damage.
Pathak told TNW he encountered 40 instances where companies were accidentally leaking credentials via public boards. Following proper ethical disclosure practices, he informed the relevant parties. Many are yet to resolve the issue though, and none have paid him a bug bounty — which is pretty stingy.
You can read the full details of the issue on Pathak’s blog post for FreeCodeCamp. It’s important to stress that this isn’t actually an issue with Trello, but rather with people improperly using the service’s public boards to store sensitive credentials.
As a wise man once said, “there’s no patch for human stupidity.”