We did an interview with Kushagra Pathak recently who gave us an excellent Google dork (on Twitter), that exposes sensitive details on public Trello boards. It has been a buzz for sometime, let’s gain some first hand knowledge about this feat from the creative exploit author himself!
Want to learn about how Kushagra hacked UN with this simple Google dork? Continue reading below.
Interview link for authenticity –
https://gist.github.com/Kushagra/8116c08c58f91e30039b3781aa8b5689
Q: According to a recent tweet, you have mentioned you got access to some FTP servers and a Jira instance, or a bug tracker owned by the UN, can you explain further on that note?
A: While I was checking whether the United Nations have any public Trello Boards I discovered a lot of Trello Boards of British and Canadian governments, I found 60 Trello boards of United Nations in the span of research over a few weeks.
On some of these Boards, credentials to many FTP servers of United Nations were present and some Boards contained links to a number of Google Docs which were also public for anyone with the link. While searching through these Trello Boards, I saw some references to Jira tickets, when I tried to view them to my surprise the whole Jira instance was not protected and I was able to view all discussions going on there.
Q: What kind of data was leaked? What’s the severity of this issue and how was this incidence responded to by UN?
A: The Trello Boards contained a plethora of sensitive information which included lots of documents, internal communication, credentials to FTP servers, credentials to some official social media accounts and email accounts. The Jira instance which I found contained a discussion about many security issues, lots of sensitive internal documents and also there were a bunch of resumes there too. The whole issue was clearly of critical severity.
On August 20, I reported the Trello Boards to the U.N.’s information security team. On September 4, the U.N. replied to say it would review my findings. After that, I continued to report more sensitive information I found on the U.N. but didn’t receive a single reply from them. After many days, not even a single reported issue was fixed. So I decided to seek help from Micah Lee of The Intercept to report this to the U.N. so they fix these critical leaks. On September 12, I received a reply from U.N. stated, “We were not able to reproduce the reported vulnerability. May we request you to provide the exact Google search criteria that was used?” Also on September 12, The Intercept contacted the U.N. After Micah contacted U.N., they finally started to take these public Trello Boards down and locked down the Jira eventually.
You can read more about what data was leaked by UN here.
Q: Can you briefly explain about the exploit chain, or techniques that you put into action?
A: In April, while researching, I found that a lot of individuals and companies are putting their sensitive information on their public Trello boards. Information like unfixed bugs and security vulnerabilities, the credentials of their social media accounts, email accounts, server, and admin dashboards — you name it, is available on their public Trello Boards which are being indexed by all the search engines and anyone can easily find them. So, I used multiple different Google Dorks (Google Advanced Search queries) to find public Trello Boards of U.N.
You can read more in detail about the technique on my blog about that here.
Q: Are there still some Trello Boards like that of companies which are still public?
A: Yes, a LOT.
Q: How would an organization in general combat and mitigate such kind of scenarios as this?
A: Educating their employees more about security practices and being paranoid to some level. And keeping a regular check on the visibility of cloud services they are using.
Q: Can you share with us more such instances of leaks that you discovered in popular organizations/companies?
A: In May/June, I discovered a total of 50 Trello Boards of the UK and Canadian governments containing internal confidential information and credentials. I have discovered and responsibly reported to more than 150 companies, and individuals. Companies I reported to also included multiple Fortune 500. Some companies were leaking credentials to all of their servers, social media accounts and CRM on there Trello Board. A lot of the companies didn’t even replied to my emails but fixed the issue silently.
Q: Please tell us a bit more about yourself and how you got into security research!
A: From a very young age I was interested in infosec and in the recent years I started actively learning it and doing security research.