How I used a simple Google query to mine passwords from dozens of public Trello boards

A few days ago on 25th April, while researching, I found that a lot of individuals and companies are putting their sensitive information on their public Trello boards. Information like unfixed bugs and security vulnerabilitiesthe credentials of their social media accountsemail accountsserver and admin dashboards — you name it, is available on their public Trello Boards which are being indexed by all the search engines and anyone can easily find them.

How did I discover this?

I searched for Jira instances of companies running Bug Bounty Programs with the following search query:

inurl:jira AND intitle:login AND inurl:[company_name]

Note: I used a Google dork query, sometimes referred to as a dork. It is a search string that uses advanced search operators to find information that is not readily available on a website. — WhatIs.com

I entered Trello in place of [company name]. Google presented a few results on Trello Boards. Their visibility was set to Public, and they displayed login details to some Jira instances. It was around 8:19 AM, UTC.

I was so shocked and amazed 😲

So why was this a problem? Well, Trello is an online tool for managing projects and personal tasks. And it has Boards which are used to manage those projects and tasks. The user can set the visibility of their boards to Private or Public.

After finding this flaw, I thought — why not check for other security issues like email account credentials?

I went on to modify my search query to focus on Trello Boards containing the passwords for Gmail accounts.

inurl:https://trello.com AND intext:@gmail.com AND intext:password

And what about SSH and FTP?

inurl:https://trello.com AND intext:ftp AND intext:password
inurl:https://trello.com AND intext:ssh AND intext:password

🔎 What else I found

After spending a few hours using this technique, I uncovered more amazing discoveries. All while I kept on changing my search query.

Some companies use Public Trello boards to manage bugs and security vulnerabilities found in their applications and websites.

People also use Public Trello boards as a fancy public password manager for their organization’s credentials.

Some examples included the server, CMSCRM, business emails, social media accounts, website analytics, Stripe, AdWords accounts, and much more.

Examples of public Trello boards which contain sensitive credentials

Here’s another example:

An NGO sharing login details to their Donor Management Software (database) which contained a lot of PII (personally identifiable information), and details like donor and financial records

Until then I was not focusing on any specific company or Bug Bounty Programs.

But nine hours after I discovered this Trello vulnerability, I had found the contact details of almost 25 companies that were leaking some very sensitive information. So I reported them. Finding contact details for some of them was a tedious and challenging task.

I posted about this in a private Slack of bug bounty hunters and a infosec Discord server. I also tweeted about this right after discovering this Trello technique. The people there were as amazed and astonished as I was.

Then people started telling me that they were finding cool things like business emails, Jira credentials, and sensitive internal information of Bug Bounty Programs through the Trello technique I shared.

Almost 10 hours after discovering this Trello technique, I started testing companies running Bug Bounty Programs specifically. I then began with checking a well-known ridesharing company using the search query.

inurl:https://trello.com AND intext:[company_name]

I instantly found a Trello board that contained login details of an emplyee’s business email account, and another that contained some internal information.

To verify this, I contacted someone from their Security Team. They said they had received a report about the Board containing email credentials of an employee right before mine and about the other board containing some internal information. The security team asked me to submit a complete report to them because this is a new finding.

Unfortunately, my report got closed as a Duplicate. The ridesharing company later found out that they had already had received a report about the Trello board I found.

In the coming days, I reported issues to 15 more companies about their Trello boards that were leaking highly sensitive information about their organizations. Some were big companies, but many don’t run a Bug Bounty Program.

One of the 15 companies was running a Bug Bounty Program, however, so I reported to them through it. Unfortunately, they didn’t reward me because it was an issue for which they currently don’t pay. 🤷

Update — 18 May 2018:

And just the other day, I found a bunch of public Trello Boards containing really sensitive information (including login details!) of a government. Amazing!

The Next Web and Security Affairs has also reported about this.

Thanks for reading my story.

Disable TLS 1.0 And 1.1 On Windows Server.

If you have a business need to disable these protocols on your engine servers in your environment Below is a snippet of the required registry changes you will need to make. You should be aware that you would have no reasonable expectation for the engine server to be able to interact with target systems that still use these protocols.

TLS 1.0

This subkey controls the use of TLS 1.0.

Applicable versions: As designated in the Applies To list that is at the beginning of this topic.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocos

To disable the TLS 1.0 protocol, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0. To enable the protocol, change the DWORD value to 1.

TLS 1.0 subkey table

Subkey Description Default
Client Controls the use of TLS 1.0 on the client. Enabled
Server Controls the use of TLS 1.0 on the server. Enabled
DisabledByDefault Flag to disable TLS 1.0 by default. Enabled

TLS 1.1

This subkey controls the use of TLS 1.1.

Applicable versions: As designated in the Applies To list that is at the beginning of this topic excluding those versions prior to Windows Server 2008 R2 and Windows 7.

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To disable the TLS 1.1 protocol, create an Enabled entry in the appropriate subkey. This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to 0. To enable the protocol, change the DWORD value to 1.

TLS 1.1 subkey table

Subkey Description Default
Client Controls the use of TLS 1.1 on the client. Enabled
Server Controls the use of TLS 1.1 on the server. Enabled
DisabledByDefault Flag to disable TLS 1.1 by default. Enabled

 

Enabling WPA2-Enterprise in Windows Vista and Windows 7

It is important to manually configure WPA2-Enterprise for your wireless network profile in Windows Vista and Windows 7. You must not be in the process of associating to the SSID because the configurations will not save correctly. Follow the steps below to configure WPA2-Enterprise.

  1. In Windows, navigate to Control Panel > Network and Internet > Network and Sharing Center.
  2. Click Manage Wireless networks.
  3. Click Add.
  4. Choose Manually create a network profile.
  5. On the next page, enter the following:
  • Network name: This is the SSID name. It is case sensitive.
  • Security type: Choose WPA2-Enterprise.
  • Encryption type: Choose AES.
  • Check Start this connection automatically if you want Windows to connect to this network automatically.
  • Check Connect even if the network is not broadcasting if the SSID is hidden and you want Windows to connect to this network automatically.

Click Next.

If the RADIUS server has a certificate that may not be trusted by the wireless client or is not a member of the domain in which the RADIUS server resides, on the “Successfully added” page, click Change connection settings.

  1. Choose the Security tab.
  1. Click Settings.
  2. Uncheck Validate server certificate if the wireless client may not trust the RADIUS server certificate.
  3. For the Authentication Method, choose EAP-MSCHAP v2.
  4. Click Configure.
  5. Uncheck Automatically use my Windows logon on name and password if the computer is not on the domain.
  6. Click OK.

It may be required to specify user or computer authentication based on whether the client is part of the domain or if machine or user authentication is a condition of the RADIUS policy.

To choose user or computer authentication, from the Security tab,

 a) Click Advanced settings.

b) Select the 802.1X settingstab.

c) Check Specify authentication mode.

d) Choose User or computer authentication. Or choose an alternate option if required.

e) Click OK to close out.

Note: Your computer will use your Windows logon credentials and domain unless you uncheck the box as shown in the Step 12 screenshot.

WPA2-Enterprise with 802.1X Authentication

https://documentation.meraki.com/MR/Encryption_and_Authentication/Wireless_Encryption_and_Authentication_Overview

RADIUS: Configuring PEAP EAP-MSCHAPv2

/Wireless_LAN/Encryption_and_Authentication/Enterprise_(802.1X)/RADIUS:_WPA2-Enterprise_With_PEAP-MSCHAPv2_Using_Microsoft_NPS

How to run Firefox when your profile is missing or inaccessible

If you see a “Profile Missing” error message that says, Your Firefox profile cannot be loaded. It may be missing or inaccessible it usually means that Firefox can’t find or access the profile folder. This article explains what to do if you see this error.

FXprofile-cannot-be-loaded

Table of Contents

  • If you moved, renamed, or deleted your Firefox profile folder
    • Profile was moved or renamed
    • Profile was deleted

If you moved, renamed, or deleted your Firefox profile folder

Firefox stores your user data and settings in a special profile folder and pulls information from this folder every time you start Firefox. The default profile folder location is under the %APPDATA%\Mozilla\Firefox\Profiles folder, which you can find using these instructions.

Profile was moved or renamed

If you know where your profile is, try one of the following methods to help Firefox find it.

  • Move the profile folder back to its original location.
  • Restore the profile’s original name if you’ve changed it.
  • Create a new profile using the Profile Manager. Give it a descriptive name, click on the Choose Folder button, and then select the profile folder you moved or renamed, before you finish the Create a new profile wizard.

Profile was deleted

If you deleted or lost your profile folder and have no way of restoring it, use one of these methods to create a new Firefox profile:

Your new profile will not contain settings or user data from your deleted or lost profile.
  • Method 1: Use the Profile Manager wizard

Follow the steps in the Use the Profile Manager to create and remove Firefox profiles article to create a new profile.

  • Method 2: Manually delete the profiles.ini file

If you have problems accessing the Profile Manager, you can create a new default Firefox profile by deleting the profiles.ini file, using these steps:

  1. Click on the Windows Start button or press the Windows key Windows Key to open the Start Menu.
  2. Type %appdata% (as you type, a Windows search will start) and press the Enter key. The hidden AppData\Roaming folder will open.
  3. Double-click the Mozilla folder.
  4. Double-click the Firefox folder.
  5. Delete (or rename, for example, to profiles.iniOLD) the profiles.ini file.
Note: Instead of deleting the profiles.ini file, you can delete (or rename) the folder that contains it. For example, right-click the Firefox folder and rename it FirefoxOLD.
When you start Firefox, a new profile will be created.

Installing and configuring WSUS servers

A key issue system administrators deal with today is keeping client and server computers updated with the latest software patches and security updates. This becomes a cumbersome task when you have to deal with a large environment with many different computer configurations that require many different security updates and software patches.

Luckily for us, Microsoft has included a server role in Windows Server 2012 R2 called Windows Server Update Services, or WSUS, to make this task a bit easier to manage. With WSUS, we are able to download and manage a distribution of updates to the proper Windows clients and servers. We can then configure computers to obtain automatic updates from the WSUS server that is pre-approved by the administrator.

It’s a wonderful feature in Windows Server 2012 R2 and we are going to go through the process of installing and configuring a WSUS server in this blog post!

Installing Windows Server Updates Services

Install it using the following steps with the options below:

  1. Open server manager, on the dashboard, click on “Add Roles and Features”, then click Next.
  2. Select “Role-based or feature-based installation”, then click Next.
  3. Select a Server or virtual hard disk you wish to install the WSUS role on, then click Next.
  4. Select Windows Server Update Services, then click Next.
  5. On the “Select Features” screen, click Next.
  6. On the “Windows Server Update Services” screen, click Next.
  7. On the “Select role services” screen, make sure “WID Database” and “WSUS Services” is selected, then click Next.
  8. On the “Content location selection” screen, you can specify a path to store updates locally, either on a local path or a remote path, then click next
  9. Click Install to start the WSUS role installation process.

Configuring Windows Server Update Services

Once the installation process completes, we can launch the post-installation tasks by clicking on the notification icon on the Server Manager Dashboard as seen below to configure the WSUS server.

If the “Windows Server Update Services Configuration Wizard” doesn’t pop up after you click “Launch Post Installation tasks”, you can manually start it by going to “Tools” and click “Windows Server Update Services”. That should start the configuration wizard as seen in the screenshot below:

  1. On the “Before You Begin” screen, make a note of the checklist and make sure you have all the necessary information before you continue.

2. On the “Microsoft Update Improvement Program”, you can choose to send Microsoft information to improve the quality and reliability of updates.

3. On “Choose Upstream Server” screen, we can choose to synchronize updates from Microsoft updates or If we already have another WSUS server, we can set it to sync from that WSUS server. In that setup, the main WSUS server is called the “upstream server” and the servers that sync with it are called downstream servers. We can also set this up to be a replica of the upstream server, which mirrors the update approvals, settings, computers and groups from the parent. Management is done only on the upstream server. Since we don’t have any other WSUS servers set up, we’ll set it to “Synchronize from Microsoft Update”.

4. On the “Specify Proxy Server”, you can enter the proxy server information, should your environment requires it. For our example, we do not require a proxy server, so we’ll just click Next.

5. On this screen, we’ll click “Start Connecting” to begin downloading information about the types of updates available, products that can be update and available languages. This process can take a few minutes.

6. On the “Choose Languages” screen, you can select to download updates for specific languages, or updates in all languages, depending on what your environment requires.

7. On the “Configure Sync Schedule” screen, we can configure how we want to schedule our WSUS server for synchronization. We can set it to sync manually or schedule it to sync automatically.

8. On the “Finished” screen, we can opt to begin the synchronization by selecting “Begin initial synchronization”. Click “Finish” to begin synchronization and conclude the WSUS configuration wizard. This process can be quite lengthy depending on the number of product updates, languages selected, and your internet connection.

The ability to manage updates intelligently and centrally is crucial to the efficiency, reliability and security of any large environment. With WSUS, Microsoft has given us a very powerful tool to do just that. To learn more about WSUS and what it can do for your environment, visit the WSUS MSDNwebsite.