UN exposes sensitive data on public Trello boards

News roundup: The U.N. accidentally exposed credentials on public Trello boards. Plus, Uber is set to pay $148 million settlement following its 2016 data breach cover-up, and more.

The United Nations accidentally exposed passwords and internal information to the public-facing internet by misconfiguring Trello boards and other web applications.

Security researcher Kushagra Pathak discovered the data leak by doing Google searches, which turned up on public Trello boards. The information included credentials for a U.N. file server, an internal conferencing system and an internal web development platform. Trello, a project management web app, sets newly created boards to private by default, so any boards set to public were configured that way by the owner of the board.

Pathak told The Intercept that after he found one public Trello board in use by the U.N., it was easy to find others by looking the board's users and discovering what other boards they were active on. On other public Trello boards, he found links to the issue tracking app Jira, where there was more sensitive information, and to Google Docs and Google Drive instances with documents that contained passwords.

Pathak reported his findings to the U.N.'s security team on Aug. 20. On Twitter, he criticized the U.N.'s response to his report; the organization didn't acknowledge it until Sept. 4, and no action was taken until Sept. 12, when a reporter from The Intercept reached out to the U.N. for comment.

While Pathak waited for the U.N. to address the report, he found and reported even more public Trello boards used by the organization; he found a total of 60 Trello boards, and several Google Docs and Google Drives, as well as sensitive information on the U.N.'s Jira account.

The U.N. began taking down the exposed information on Sept. 13, and most of it appears to be gone now.

Pathak has a history of finding public Trello boards containing sensitive information. He had previously discovered 50 such boards belonging to the governments of the United Kingdom and Canada that contained sensitive internal information, and in April 2018, he found a trove of sensitive credential information on Trello that belonged to dozens of organizations.

In other news

  • The VPNFilter malware that Cisco Talos disclosed in May has more capabilities than originally thought. According to additional research from Cisco Talos, there are seven extra third-stage modules that give VPNFilter malware more features. These modules include redirecting and inspecting HTTP traffic, network mapping, denial-of-service attacks, reverse TCP VPNs on devices, and others. "As a result of the capabilities we previously discovered in VPNFilter coupled with our new findings, we now confirm that VPNFilter provides attackers all of the functionality required to leverage compromised network and storage devices to further pivot into and attack systems within the network environments that are being targeted," Cisco Talos wrote in a blog post. The research team is uncertain how threat actors are able to get access to the targeted devices.
  • Uber has agreed to pay $148 million in a settlement with the attorney generals of all 50 states following its 2016 data breach cover-up. Hackers stole the information of approximately 57 million U.S. customers and drivers of the ride-hailing app, and, rather than reporting the breach to the authorities -- as is required by law -- Uber paid the hackers $100,000 to keep it quiet. Almost a year after the initial breach, Uber's CEO revealed that the information the hackers had stolen included the names, email addresses and cell phone numbers, as well as some driver's license numbers. The data breach cover-up led to the Uber's former CSO Joe Sullivan being dismissed from the company. Sullivan later said that the payment to the hackers was part of bug bounty program. The company has since appointed its first chief privacy officer and its first data protection officer.
  • A zero-day vulnerability has been found in the latest version of Apple's Mojave macOS. The flaw, found by security researcher Patrick Wardle, enables attackers to access sensitive data using an app that doesn't run with administrator permissions. This version of Mojave, released early this week, introduced new privacy protection features. But according to Wardle, the implementation of these privacy protections is where the vulnerability comes into play. In a demonstration, Wardle was able to run an unprivileged app and copy all the content from the address book to the desktop. The vulnerability doesn't affect all of the privacy features and hardware-based components are largely unaffected.

Dig Deeper on Application and platform security