Q: According to a recent tweet, you have mentioned you got access to some FTP servers and a Jira instance, or a bug tracker owned by UN, can you explain further on that note?
A: While I was checking if United Nations is also having any public Trello Boards after I discovered a lot of Trello Boards of British and Canadian governments, I found 60 Trello boards of United Nations in the span of research of few weeks.
On some of these Boards, credentials to many FTP servers of United Nations were present and some Boards were containing links to a lot of Google Docs which were also public and anyone with the link that was present on these Boards can view them. And while searching through these Trello Boards, I saw some references to Jira tickets and when I tried to view them to my surprise that whole Jira instance was not protected and I was able to view all the discussion going on there.
Q: What kind of data was leaked? What's the severity of this issue and how was this incidence responded to by UN?
A: The Trello Boards were containing a plethora of sensitive information which included lots of documents, internal communication, credentials to FTP servers, credentials to some official social media accounts and email accounts. The Jira instance which I found was containing discussion about many security issues, lots of sensitive internal documents and also there were a bunch of resumes present there too. The whole issue was clearly of critical severity.
On August 20, I reported Trello Boards to the U.N.’s information security team. On September 4, the U.N. replied to say it would review my findings. After that, I continued to report more sensitive information I found to the U.N. but didn't receive a single reply from them. And also even after many days, not even a single reported issue got fixed. So I decided to take help of Micah Lee of The Intercept to report this to U.N. so they fix these critical leaks. On September 12, I received a reply from U.N. stated, “We were not able to reproduce the reported vulnerability. May we request you to provide the exact Google search criteria that was used?” Also on September 12, The Intercept contacted the U.N. After Micah contacted U.N., they finally started to take these public Trello Boards down and locked down the Jira eventually.
You can read more about what data was leaked by UN here.
A: In April, while researching, I found that a lot of individuals and companies are putting their sensitive information on their public Trello boards. Information like unfixed bugs and security vulnerabilities, the credentials of their social media accounts, email accounts, server, and admin dashboards — you name it, is available on their public Trello Boards which are being indexed by all the search engines and anyone can easily find them. So, I used multiple different Google Dorks (Google Advanced Search queries) to find public Trello Boards of U.N.
You can read more in detail about the technique on my blog about that here.
A: Yes, a LOT.
A: Educating their employees more about security practices and being paranoid to some level. And keeping a regular check on the visibility of cloud services they are using.
Q: Can you share with us some more such instances of leaks that you discovered in popular organizations/companies?
A: In May/June, I discovered a total of 50 Trello Boards of the UK and Canadian governments containing internal confidential information and credentials. And I have discovered and responsibly reported to more than 150 companies, and individuals. Companies I reported to also included multiple Fortune 500. Some companies were leaking credentials to all of their servers, social media accounts and CRM on there Trello Board. A lot of the companies didn't even replied to my emails but fixed the issue silently.
A: From a very young age I was interested in infosec and in the recent years I started actively learning it and doing security research.