Introduction
Recon plays a very important part in finding vulnerabilities. The more creative the Recon process, the higher the likelihood of finding an undiscovered vulnerability.
In many organisations, developers use Trello to help them collaborate and organise projects. This leads to developers sharing credentials to various dashboards and code bases. When the visibility setting of these Trello boards are set to “Public”, anyone on the internet can view them which can lead to easy access to dashboards such as Jira, Confluence, Asana, Slack.
Methodology
To find open Trello boards, I made use of Google Dorks. The Google Dorks I used were:
site:trello.com keyword
 
where the keyword could be:
 
jira password
asana password
confluence password
 
Another way to go about this could be to focus on a particular company by using the dork:
site:trello.com companyname
 
Since I cannot disclose the name of the company, I shall call it an automotive manufacturing corporation.
I found an open Trello board which claimed to have email, password and a 24 digit alpha-numeric recovery code to an automotive manufacturing corporation's internal Jira dashboard. At first, I was skeptical because the email was not of the form
xyz@companyname.com
 
but contained a separate company domain. I decided to dive a bit further. I googled the company domain and found that the company specialises in marketing for the world’s leading brands of automobiles.
After this I decided to search whether the credentials were of a legitimate employee since in many cases not only could the credentials be outdated but the employee could have moved on from this company. I used a sock account on LinkedIn to verify the employee and found that he was still a part of the organisation and still a part of that project with the automotive manufacturing corporation.
I tried to login to the account by accessing a website meant for the automotive manufacturing corporation's employees but this threw an error saying invalid credentials.
I decided maybe because this employee is part of a third-party, the login page would be different, so I Google searched for the automotive manufacturing corporation name+login+collaboration
This led me to find a login page for all employees collaborating with the automotive manufacturing corporation.
I used the Trello credentials to login in to the account but this user had enabled 2FA. It asked for a 6 digit from the Google Authenticator. This is where the recovery code came in handy. I clicked on “Use Recovery Code” and entered the 24 digit alpha-numeric code. This generated a new recovery code which I had to note and then logged me in.
I now had access to the Jira dashboard where I could view projects, code issues, platforms and even employees involved.
Key Takeaways
  • Trello boards should never be used to share or store email ids and passwords.
  • Organisations using Trello boards for collaboration must ensure to make all boards private.
  • Enable stronger 2FA.