Recent developments reveal a significant security breach involving approximately 15 million names, usernames, and email addresses linked to public Trello boards. This massive data exposure poses a serious threat, paving the way for potential account takeovers and spear-phishing attacks. The Trello platform’s parent company, Atlassian, has responded by implementing changes to a critical API to mitigate the risk of future scraping attacks.
The Trello Vulnerability
Trello, renowned for its project management and collaboration features, allows users to make their “boards” publicly accessible for streamlined collaboration across different entities. The administrator of a board can extend invitations via email to facilitate participation on public boards, utilizing a REST API for this purpose.
However, a cyber attacker known as “emo” exploited this API through a business logic attack. By manipulating the API with email addresses, emo could retrieve public profiles associated with those emails. This method enabled the unauthorized scraping of data from 15 million Trello profiles, connecting usernames with corresponding email addresses.
Addressing the Over-Sharing API
Jason Kent, hacker in residence at Cequence Security, emphasizes the ease with which such attacks can be constructed once the method is known. Describing it as the “Unholy Trinity,” Kent highlights that attackers identify vulnerable APIs, often lacking authentication requirements, containing sensitive data, and inadvertently accessible.
An Atlassian spokesperson clarified that while there was no unauthorized access to internal Trello systems, the API required a more robust configuration. In response, changes were made to prevent unauthenticated users or services from requesting another user’s public information using email addresses. Authenticated users can still access publicly available information on another user’s profile via the API, ensuring a balance between security measures and the functionality of the “invite to a public board by email” feature.
The spokesperson assured ongoing monitoring of the API’s usage, with a commitment to taking necessary actions to safeguard user data. A verification by Dark Reading confirmed that non-signed-in users are now restricted from viewing profiles at trello.com/[username].
Accountability in Question: Trello’s Response to Data Scraping Incident
The recent data scraping incident involving Trello has raised questions about accountability, with Atlassian framing the impact as limited to information already in the public domain. According to the Atlassian spokesperson, an exhaustive investigation points to a threat actor testing a pre-existing list of email addresses against publicly available Trello user profiles. The obtained information, the spokesperson claims, was already publicly accessible, and the threat actor combined it with email addresses from another source.
Disingenuous Defense?
A cybersecurity expert, Jason Kent views Trello’s defense as somewhat disingenuous, albeit legally sound. While acknowledging that the data accessed was public, Kent questions whether Trello’s terms and conditions permit the mass extraction of their entire database for personal use. He suggests that platform users may not consider such behavior normal or acceptable.
Technical Controls and Communication
Although scraping public data doesn’t technically qualify as a data breach, Troy Hunt, founder and CEO of Have I Been Pwned (HIBP), emphasizes the increasing accountability of companies in such cases. Hunt draws parallels to previous incidents, such as the Facebook-Cambridge Analytica scandal, where companies faced consequences for allowing data scraping to occur without users’ clear understanding or consent.
In contrast, Trello’s response, according to Hunt, lacks acknowledgment in their communications. While recognizing the need to prevent scraping through technical controls, particularly tightening the API, Trello falls short in openly addressing this aspect.
Recommendations for Businesses
Jason Kent recommends that in the absence of software providers actively preventing data scraping, businesses should prioritize penetration testing for critical applications. This approach aims to uncover potential vulnerabilities in APIs and business logic, similar to the issues encountered in the Trello incident.
Frequently Asked Questions (FAQs)
- Does Trello consider the data scraping incident a threat?The Atlassian spokesperson downplays the incident, framing it as impacting only publicly available information.
- What is Jason Kent’s view on Trello’s defense? Jason Kent finds Trello’s defense somewhat disingenuous, raising questions about the permissibility of mass data extraction per their terms and conditions.
- How does Troy Hunt emphasize accountability in data scraping incidents? Troy Hunt highlights the growing accountability of companies, citing past cases like the Facebook-Cambridge Analytica scandal, where consequences were faced for allowing data scraping without user understanding or consent.
- What does Trello’s response lack, according to Troy Hunt? Trello’s response lacks acknowledgment in their communications regarding the need to prevent scraping, despite implementing technical controls like tightening the API.
- What recommendation does Jason Kent provide for businesses? Jason Kent advises businesses to conduct penetration testing for critical applications to identify and address potential vulnerabilities in APIs and business logic.
