Workplace App Trello Unwittingly Exposes Passwords Through Google
Offices that leave boards unlocked often forget that anyone can find them
Some companies that use the project management application Trello have accidentally exposed their passwords to anyone who performs a Google search.
Trello, which says it has one million daily users, works somewhat like an interactive, shared to-do list — a “board” — for a company or team. If you already use it with your coworkers, it can be a convenient way to store important, shared information, like bookmarking frequently used websites — or administrative usernames and passwords.
Users can choose to keep their shared Trello boards unlocked, meaning it doesn’t require an account or password to visit. In such cases, all it takes is a good search for “password,” restricted to the domain “site:trello.com,” to see a list of poorly hidden company passwords.
One such site is Cinenoar, a Brazilian movie streaming startup, which was unaware their Trello board was unlocked — and the administrative credentials to its website were exposed — until being contacted for this story.
“I’ll have to change all passwords, but, better this way,” founder Marcos Chaves Martins told Vocativ over Skype. The site’s IT team had once hired an outside developer to help build the site, he said, and made their Trello board public to share operations, but forgot to make it private again.
“The most remarkable aspect is that each individual part of the process was working exactly as designed,” said Neil Studd, a security researcher who discovered and tweeted about the vulnerability. “But, as with many security incidents, a system is only as strong as its weakest link — in this case, the end-users who compromised their own details.”
In a statement provided to Vocativ, Trello said that it was aware of the problem, and recently sought out users who were broadcasting their passwords. “Trello recently identified these boards and has taken steps to change their boards to private,” the company said.
However, simply making a Trello board private doesn’t necessarily fully solve the problem. Google automatically provides “snippets” from a website when listing search results, and some passwords are still visible from now-locked Trello boards.
“This was a way to keep our passwords and share it among certain employees,” said the founder of another company, whose former administrative password was still cached as a Google snippet when reached by Vocativ. The founder requested not to be named because he was worried about his company’s security.
“Unbeknownst to us, it was a public board that anybody could see on Trello,” the founder said. “When we tried to make it private, no you still can see it. Worse, you find out way after the fact [that] there are actual Google links sharing this information.”
Google does allow users to request outdated or deleted pages be removed from its search results, though there isn’t a guarantee for how long that takes. The company didn’t offer formal comment, but as of this writing, the passwords that prompted Vocativ to reach out to a handful of companies are no longer visible on the site.