Trello is a web-based list making application that helps teams collaborate, manage projects and improve productivity by organising tasks. Trello boards are used by both individuals and enterprises to help store personal and proprietary data. Trello provides the option of making boards private (visible only after inputting a password) or team-visible only (only members approved by the initiator of that Trello board). Despite this hundreds of Trello boards exist which are public facing for anyone to view which expose both passwords and sensitive information.
Since Trello is used by teams to collaborate on projects, in many cases passwords and usernames to Wordpress Dashboards, Slack teams and Jira and Confluence instances are easily attainable with just a simple google search. This could give a potential attacker unrestricted access to an admin dashboard and staging environments.
I tried finding such Trello boards by using Google Dorking. In many cases, the Trello boards found publicly included credentials to private individual accounts on gaming websites and streaming services. Some Trello boards included sensitive information of individuals relating to personal projects.
Focusing on enterprises, I found a Procter and Gamble Trello board which included sensitive information to their Wordpress Dashboard. While the username and password were really strong and not vulnerable to usual dictionary attacks, it was quite counter intuitive if it were visible for any attacker to copy paste from a Trello board. Soon, I found another Trello board which had credentials to Pfizer clinical research staging and production environments. This could lead to highly sensitive information disclosure. I reported both of these vulnerabilities to the respective security teams and both were remediated within a week of their reporting.
Trello boards should be used with care and enterprises must enable private and team-visible boards only. Individuals must ensure to stop posting sensitive personal data on such boards. Using public Trello boards to find credentials of admin dashboards is by far one of the most trivial ways of elevating privileges and doesn't require any sophisticated attack.