By misconfiguring pages on Trello, a popular project management website, the governments of the United Kingdom and Canada exposed to the entire internet details of software bugs and security plans, as well as passwords for servers, official internet domains, conference calls, and an event-planning system.
The U.K. government also exposed a small quantity of code for running a government website, as well as a limited number of emails. All told, between the two governments, a total of 50 Trello pages, known on the site as “boards,” were published on the open web and indexed by Google.
The computer researcher who found the sensitive material, Kushagra Pathak, had disclosed just this past April a wide swath of additional private data exposed to the public on Trello, which is widely used by software developers, among others. That earlier disclosure revealed how, on dozens of public Trello boards run by various organizations and individuals, the information available included email and social media credentials, as well as specific information on unfixed bugs and security vulnerabilities. Pathak even found an NGO sharing login details to a donor management software database, which in turn contained, he said, personally identifiable information and financial records on donors. In both the April and new security research, the sensitive data on Trello was tracked down starting with a simple Google query.
Powered by WPeMatico