Security Data Breach: Trello API Misuse Reveals Email Links to 15M Accounts

What happened on trello breach?

Last week, reports emerged about a Trello data breach. Someone going by the name 'emo' tried to sell the information of 15,115,516 Trello users on a well-known hacking forum. The data includes emails, usernames, full names, and other account details. The post on the forum stated, "I'm selling one copy to anyone interested. Message me on-site or on Telegram.

While the majority of information in these profiles is public, the associated email addresses are not.

Who is affected?

Trello is a helpful online tool owned by Atlassian. Businesses often use it to organize information and tasks on boards, cards, and lists.

Key Terms to Understand:

• Rate Limiting : Rate limiting in the context of an API (Application Programming Interface) is a technique used to control the number of requests a user or client can make to the API within a specified time period. The purpose of rate limiting is to prevent abuse, misuse, or overuse of the API, ensuring fair usage and maintaining the overall performance and availability of the service.

• Exposed API : An exposed API signifies accessibility without adequate security measures, potentially posing privacy and data integrity risks. This vulnerability may result from insufficient authentication, authorization, or unintentional configuration errors, allowing unauthorized users or systems to access and manipulate the API.

API Exploitation

Trello API creates a potential linkage between confidential email addresses and Trello user accounts, giving rise to the possibility of generating numerous data profiles encompassing a blend of publicly available and private information.

Trello provides a REST API, allowing developers to seamlessly integrate the service into their applications. Among the various API endpoints, there is one that enables developers to retrieve public information about a user's profile based on their Trello ID or username.

However, 'emo' uncovered that this API endpoint could also be queried using an email address. If an associated account exists, one can retrieve the corresponding public profile information.

It's crucial to note that this API was publicly accessible, meaning it could be queried without the necessity of logging into a Trello account or using an API authentication key.

Subsequently, the threat actor compiled a list of 500 million email addresses and input them into the API to ascertain whether they were linked to a Trello account.

Trello's API imposes rate limits per IP address. To circumvent this restriction, the threat actor claimed to have acquired proxy servers, allowing them to rotate connections and continuously query the API.

Question: How did the attacker discover the existence of another email parameter?

Attackers may employ techniques like fuzzing, where they systematically submit various inputs (including email addresses in this case) to see how the system responds. By observing the API's behavior, the attacker could identify that it accepts email addresses as valid queries and returns relevant information, possibly leading to the exposure of user data.

Why testing hidden parameters is important?

Testing for hidden parameters in APIs is important because it helps uncover potential vulnerabilities or unintended functionalities that could be exploited by attackers. APIs may have additional parameters that are not publicly documented or visible, but can still be accessed and manipulated by malicious actors. By testing for hidden parameters, developers can identify and address these issues before they are exploited by attackers.

Check out this blog to understand the top 10 best practices for APIs.

Credential Stuffing Attack

Hunt reported that when he included the Trello data in the HIBP database of compromised credentials, every email address from emo's collection had already been previously added. In a sample check of 500 Trello emails, Hunt identified the following sources:

• Wattpad: 183

• Canva: 174

• Dropbox: 132

• Twitter200M: 129

• Collection1: 123

• Gravatar: 120

• PDL: 118

• Nitro: 104

• Deezer: 94

• LinkedIn: 91

This compilation of publicly available emails in a comprehensive database streamlines cybercriminals efforts in conducting brute-force attacks and credential stuffing for account takeovers, posing increased risks to businesses.

Trello Response

According to Trello, authenticated users can still access publicly available information from another user's profile using the API. This modification has been made to find a middle ground between preventing API misuse and maintaining the functionality of the 'invite to a public board by email' feature for our users.

Mitigations

To mitigate the exploitation of rate limits, the following steps can be taken:

• Implement a more robust rate limiting mechanism that takes into account not just the number of requests, but also factors like the type of requests, user behavior, and anomaly detection.

• Implement IP-based rate limiting in addition to user-based rate limiting, to further restrict the number of requests from a specific IP address.

• Implement proper authentication and authorization mechanisms for all APIs, including the use of API keys or tokens to ensure that only authorized users or systems can access and manipulate the APIs.

• Regularly review and update the API documentation to ensure that all exposed APIs are properly documented and any unintended functionalities are identified and addressed.

• Implement security controls, such as input validation and output encoding, to mitigate the risk of API exploitation through techniques like fuzzing.

• Conduct regular security assessments, including penetration testing, to identify and address any vulnerabilities in the APIs.