Vulnerability Detail Report
- ZDID: ZD-2018-01105
- Vendor: vegan-taiwan-台灣區推廣
- Title: vegan-taiwan-台灣區推廣 Unintentional private data exposure in open Trello projects
- Introduction: An unintentional exposure of several private informations in their public trello project
- 2018/08/09 20:09:25 : 新提交 (由 doctormaster 修改)
- 2018/08/09 20:28:06 : 新提交 (由 doctormaster 修改)
- 2018/08/10 00:19:12 : 審核完成 (由 HITCON ZeroDay 服務團隊 修改)
- 2018/08/12 22:59:48 : 審核完成 (由 HITCON ZeroDay 服務團隊 修改)
- 2018/08/12 23:14:24 : 審核完成 (由 HITCON ZeroDay 服務團隊 修改)
- 2018/08/13 11:28:28 : 通報未回應 (由 HITCON ZeroDay 服務團隊 修改)
- 2018/08/16 13:11:08 : 修補中 (由 HITCON ZeroDay 服務團隊 修改)
- 2018/08/16 14:23:34 : 已修補 (由 HITCON ZeroDay 服務團隊 修改)
- 2018/08/24 03:00:02 : 公開 (由 HITCON ZeroDay 平台自動更新)
- 通報者：doctormaster (doctormaster)
- 類型：資訊洩漏 (Information Leakage)
OWASP 漏洞說明 (Top 10 2017 - A3 Sensitive Data Exposure)
Months ago before I joined ZERODAY HITCON I came across this news article regarding the unauthenticated/open trello boards vulnerability: https://securityaffairs.co/wordpress/72380/data-breach/trello-data-leak.html
I immediately set out to look for vulnerable boards spilling out secret information, and found that "vegan-taiwan-台灣區推廣" Taiwanese trello board was among those affected.
Here are the particular public trello cards that unintentionally leak out secret info:
The GNACjk42 link has the login details of a gmail inbox exposed, therefore rendering numerous contester's private information accessible by malicious users and therefore I have preemptively changed the password to [email protected] approximately 3 months ago, well before I joined ZERODAY HITCON.
The dHCG0oiS link contains login details to their wix sites and even the backend of their ticket portal, making them vulnerable to website defacements and possibly identity theft for the latter.
I have attempted to reach out [email protected] (listed in https://vegantw.wixsite.com/chiapei/contact) and +886921741417 using whatsapp (for reference I used a malaysian number ending with 0151 to reach her out) but so far no words are forthcoming from her, let alone any meaningful fixes to the problem.
Therefore if the attempt to warn her about this issue via the hitcon platform is futile I see nothing can be done short of informing the authorities to warn her on our behalf.
Restrict access of your trello boards and change your passwords immediately!