Workplace App Trello Accidentally Uses Google to Expose User Passwords

Workplace App Trello Accidentally Uses Google to Expose User Passwords

There’s obviously no such thing as a perfect security, however, you should definitely be on a lookout and be careful not to end up leaving apps like Trello completely open. By a pretty unlucky accident, several companies that were using this app got their passwords exposed online. Pretty much anyone who performed a Google search could have seen these credentials, which put all of the companies in danger.

Trello is an app that works pretty much like a message board, or an interactive to-do list. It’s mostly used by teams or companies to keep track of their tasks and achievements. It can also be used for communicating with co-workers, bookmarking websites that are frequently being used, or store any important data, like usernames and passwords. Trello says that it has over one million users per day, which isn’t a good thing in this particular case.

Trello boards don’t require any sort of account or even a password to visit, and so users can choose to keep it unlocked. So, if you know how to use Google, and you have any skill at it, it doesn’t take much to get to very poorly protected passwords that certain companies are using.

One of the websites with such poor password protection is a Brazilian startup called Cinenoar, which is a movie streaming site. They seem to be completely unaware that Trello was unlocked, and many of their administrative credentials were left completely exposed until today.

The company’s founder, Marcos Chaves, has stated that all of the passwords will have to be changed, but that it’s better this way, at least they now know their error. The company’s IT team has had help from an outsider who worked on building their website. It’s believed that this outside developer was the one who has made Trello open for easier access to information. After the site was completed, everyone simply forgot to make the board private.

The researcher who discovered this vulnerability, Neil Studd, has commented that he found it remarkable that every part of the process worked as it was supposed to. And fault didn’t lie with the system, but instead, it was a human error.

Trello itself even realized this problem and tried to get in contact with those who were exposing their data. Still, making a Trello board go private probably won’t solve the entire problem. Thanks to the fact that Google provides ‘snippets’ automatically whenever they’re listing search results for websites, some of these passwords might be visible even after the boards are set on private.

The founder of another company who asked not to be named has stated that they also use this system in order to share passwords. It was unknown to the founder, as well as to everyone else within the company that all of their passwords are accessible to the public. When they discovered this shocking fact, they tried to make Trello go private, but it didn’t fix the problem.

As for Google, it does allow their users to request the removal of old or deleted pages, but even that might not work. Still, some action has obviously been taken, since all of the passwords from these companies aren’t visible anymore.