Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Trello

View Permissions on Trello Boards

PreviousTrelloNextFigma

Last updated 12 months ago

Was this helpful?

Description:

Trello is a popular cloud-based list-making app often used by companies to manage for example tasks. By default, Trello boards are only visible to other members in your workspace. However, Trello also allows users to set the board visibility to public. Making it public for anyone to view and for search engines and web archives like Google and Wayback Machine to index. As sensitive data like internal company data can be shared between team members, it is best practice to cross-check the board's visibility settings and make sure only authorized users have read access.

Testing:

To check for public access for any Trello board, simply visit the board URL and observe the response:

https://trello.com/b/{BOARD_ID}

There are various ways to enumerate Trello boards, the most common way to do so is making use of Google's search syntax and searching for any company related terms:

site:trello.com "company"

Google may have already taken actions to prevent Trello boards from getting indexed on their search engine. Always cross-check with multiple others like DuckDuckGo, Bing, StartPage, etc.

Remediation:

It is recommended to set the visibility to Private so that only board members can see and edit this board. To do so:

  1. Sign in to your Trello account

  2. Open your board

  3. Next to your board name, click on the visibility button to change the visibility

  4. Finally, make sure to select Private

Potential Impact:

Unauthorized users may be able to gather sensitive internal information about your company or even plain text credentials (if shared) through various search engines as your boards are public and indexed. This information is often used for further attacks.

References:

https://support.atlassian.com/trello/docs/changing-the-visibility-of-a-b