vegan-taiwan-台灣區推廣 Unintentional private data exposure in open Trello projects - HITCON ZeroDay

Vulnerability Detail Report

Vulnerability Overview

  • ZDID: ZD-2018-01105
  •  發信 Vendor: vegan-taiwan-台灣區推廣
  • Title: vegan-taiwan-台灣區推廣 Unintentional private data exposure in open Trello projects
  • Introduction: An unintentional exposure of several private informations in their public trello project

處理狀態

目前狀態

公開
Last Update : 2018/08/24
  • 新提交
  • 已審核
  • 已通報
  • 已修補
  • 未複測
  • 公開

處理歷程

  • 2018/08/09 20:09:25 : 新提交 (由 doctormaster 修改)
  • 2018/08/09 20:28:06 : 新提交 (由 doctormaster 修改)
  • 2018/08/10 00:19:12 : 審核完成 (由 HITCON ZeroDay 服務團隊 修改)
  • 2018/08/12 22:59:48 : 審核完成 (由 HITCON ZeroDay 服務團隊 修改)
  • 2018/08/12 23:14:24 : 審核完成 (由 HITCON ZeroDay 服務團隊 修改)
  • 2018/08/13 11:28:28 : 通報未回應 (由 HITCON ZeroDay 服務團隊 修改)
  • 2018/08/16 13:11:08 : 修補中 (由 HITCON ZeroDay 服務團隊 修改)
  • 2018/08/16 14:23:34 : 已修補 (由 HITCON ZeroDay 服務團隊 修改)
  • 2018/08/24 03:00:02 : 公開 (由 HITCON ZeroDay 平台自動更新)

詳細資料

  • ZDID:ZD-2018-01105
  • 通報者:doctormaster (doctormaster)
  • 風險:高
  • 類型:資訊洩漏 (Information Leakage)

參考資料

攻擊者可利用洩漏資訊進行下一步攻擊行為。

OWASP 漏洞說明 (Top 10 2017 - A3 Sensitive Data Exposure)
https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure

CWE-200 漏洞說明
https://cwe.mitre.org/data/definitions/200.html
(本欄位資訊由系統根據漏洞類別自動產生,做為漏洞參考資料。)

相關網址

https://trello.com/b/bFkzeaLf/vegan-taiwan-%E5%8F%B0%E7%81%A3%E5%8D%80%E6%8E%A8%E5%BB%A3

敘述

Months ago before I joined ZERODAY HITCON I came across this news article regarding the unauthenticated/open trello boards vulnerability: https://securityaffairs.co/wordpress/72380/data-breach/trello-data-leak.html

I immediately set out to look for vulnerable boards spilling out secret information, and found that "vegan-taiwan-台灣區推廣" Taiwanese trello board was among those affected.

Here are the particular public trello cards that unintentionally leak out secret info:

https://trello.com/c/GNACkj42/4-20171118%E4%B8%96%E7%95%8C%E7%B4%A0%E9%A3%9F%E5%B9%B4%E6%9C%83
https://trello.com/c/dHCG0oiS/21-201803-ceva%E5%B7%A5%E4%BD%9C%E5%9D%8A

The GNACjk42 link has the login details of a gmail inbox exposed, therefore rendering numerous contester's private information accessible by malicious users and therefore I have preemptively changed the password to [email protected] approximately 3 months ago, well before I joined ZERODAY HITCON.

The dHCG0oiS link contains login details to their wix sites and even the backend of their ticket portal, making them vulnerable to website defacements and possibly identity theft for the latter.

I have attempted to reach out [email protected] (listed in https://vegantw.wixsite.com/chiapei/contact) and +886921741417 using whatsapp (for reference I used a malaysian number ending with 0151 to reach her out) but so far no words are forthcoming from her, let alone any meaningful fixes to the problem.

Therefore if the attempt to warn her about this issue via the hitcon platform is futile I see nothing can be done short of informing the authorities to warn her on our behalf.

修補建議

Restrict access of your trello boards and change your passwords immediately!

擷圖

留言討論

聯絡企業

 發送私人訊息
您也可以透過私人訊息的方式與企業聯繫,討論有關於這個漏洞的相關資訊。