Wednesday, June 6, 2018

Do you use Trello? - it is time to check if your admin or your vendor admins have "misconfigured" it to expose credentials.



Examples
Seceon, a Westford, Mass. cybersecurity firm that touts the ability to detect and stop data breaches in real time. But until a few weeks ago the Trello page for Seceon featured multiple usernames and passwords, including credentials to log in to the company’s WordPress blog and iPage domain hosting.

A senior software engineer working for Red Hat Linux in October 2017 posted administrative credentials to two different servers

Maricopa County Department of Public Health (MCDPH) in California used public Trello boards to document a host of internal resources that are typically found behind corporate intranets, such as this board that aggregated information for new hires (including information about how to navigate the MCDPH’s payroll system)

A public Trello page maintained by HealthIT.gov — the official Web site of the National Coordinator for Health Information Technology, a component of the U.S. Department of Health and Human Services (HHS) — that was leaking credentials


https://krebsonsecurity.com/2018/06/further-down-the-trello-rabbit-hole/

No comments:

Post a Comment