Passwords to UK's and Canada's Government Servers Exposed. Who's to Blame?
Hollywood would have you believe that you'd need quite a few things if you want to steal sensitive information from the governments of two of the World's biggest economic superpowers. You'd need thousands of dollars' worth of equipment running sophisticated software developed by some of the world's best hackers. You'd need lots of 100-dollar bills neatly stacked in a leather suitcase and carried around by men with earpieces and sunglasses. You'd also need nervous government officials in black suits, and, last but not least, a hoodie-wearing teenager who knows more about computers than anyone could ever imagine.
That's Hollywood's version of events. The real world is a lot less glamorous and quite a bit scarier. It turns out that not that long ago, gaining access to sensitive information that belongs to British and Canadian government organizations involved nothing more than a web browser and basic knowledge about how Google works. We wish we were joking, but we aren't.
Finding sensitive information on the Internet is easier than you think
Kushagra Pathak is the security researcher that made the alarming discovery. Using nothing more than Google's search engine, he first found a stash of data that belonged to the UK government and included username and password combinations that would allow administration of servers and registration of domains on behalf of the British government. A portion of the source code of one of the government's websites was also visible, and so were access codes for conference calls, internal email communication, and information on security bugs and policies.
After some more digging around, Pathak stumbled upon another set of data, this time owned by the Canadian government. He saw FTP credentials, Eventbrite login details, web application management information, and communication on a recent cybersecurity incident.
All in all, some pretty serious data was visible to anyone who knew where to look. But how did it end up exposed?
Misconfigured Trello boards and cards
Trello, for those of you who don't know, is a project management application which enables team members to quickly and easily share information and assign tasks between themselves. Every task is put on a so-called card and is then "pinned" to a board which represents the whole project.
The British and Canadian government, like so many other organizations all around the world, were using Trello cards and boards to manage different projects. Somehow, however, they ended up publicly facing the Internet which naturally means that Google indexed them.
All Pathak had to do to get to them was to use the "inurl:" search modifier. Shortly after realizing what he had discovered, Pathak got in touch with the two governments' cybersecurity arms, and within a few days, the data was no longer accessible via Google.
Trello claims the problem is not design-related
This is not the first such incident. A few months ago, Kushagra Pathak discovered that private organizations were also inadvertently exposing login credentials and other sensitive information through public Trello cards and boards. Back then, this prompted reaction from Michael Pryor, the project management platform's co-founder, who said that by default, Trello's cards and boards are set to be private and can not be accessed by people that haven't been authorized to do so. This, as Trello users can testify, is true which means that the two exposures happened because people responsible for keeping the data private changed a very vital setting.
Human error or just laziness?
Both the governments and the private organizations whose data was exposed in May are too embarrassed to admit what happened exactly, but it's clear that there are two options.
The first one is that someone made an honest mistake. Sometimes, making a board or a card public can help move the project forward. It's quite clear, however, that if you change the settings on the wrong board, you could end up in trouble.
The second hypothesis, something on which Pathak himself speculated, is that the whole thing happened because someone was in a rush to go home. He says that the people administrating the boards might have decided that creating a private project and then adding all the individuals is too labor-intensive. That's why they made the projects public (thinking that nobody's going to bother looking for them on Google) and then just sent the links around.
Whatever the true reason, the fact remains that in both cases, something, somewhere, went horribly wrong. In fact, something is still wrong because a simple Google search will show you that public Trello projects are still exposing login credentials and tons of other sensitive data.