2 min Security

Inadequately secured Trello API leads to unwanted data breach

Inadequately secured Trello API leads to unwanted data breach

A vulnerability in a Trello API from Atlassian allows private data to be linked with that of Trello accounts. This provides interesting data profiles for hackers. The vulnerability came to light after a hacker tried to sell data from more than 15 million Trello users.

A vulnerable API in Trello, an online project management tool from Atlassian, allows private email addresses to be linked with Trello accounts, Bleeping Computer writes. This creates large data profiles with both public and private information that could be of great interest to hackers.

Problem in REST API

The hacker made the vulnerability public by trying to sell the data of more than 15 million Trello users on a hacker forum. According to the hacker, the problem is in a REST API provided by the tool. This API allows developers to integrate the project management tool into their own applications. Through one of the endpoints, they can request public information about a profile based on a user’s Trello ID or username.

The hacker found that the API endpoint can also be queried using an email address. With this, anyone can easily find the associated Trello account and public profile information. Furthermore, the Trello API in question was publicly accessible and could be queried without logging into a Trello account or using an API authentication key.

In this way, the hacker managed to retrieve Trello users’ data, such as email addresses, usernames, full names and other account information.

Atlassian’s response

In a response send to Bleeping Computer, Atlassian indicated that the data the hacker managed to gather was mainly the work of scrapping on the Internet. According to the developer, the hacker checked a previously existing list of email addresses against publicly available Trello accounts. Investigations would additionally show that no unauthorized access had been gained to Trello or user profiles.

However, Atlassian has now modified the API in question so that unauthorized users can no longer access other users’ public information via email. Authorized users can still use the API to request information that is publicly available on other users’ profiles.

Previous breaches in Atlassian tools

This is not the first time vulnerabilities have been discovered in Atlassian’s solutions. Last year, Confluence struggled with several critical vulnerabilities. These vulnerabilities were found to be actively exploited.

Also read: Recently discovered Atlassian Confluence vulnerability massively exploited