Atlassian Tightens API After Hacker Scrapes 15M Trello Profiles

  /     /     /  
Publicated : 23/11/2024   Category : security


Atlassian Tightens API After Hacker Scrapes 15M Trello Profiles


The company hasnt taken full responsibility for the incident, even though allowing scraping paves the way for dangerous follow-on attacks.



About 15 million names, usernames, and emails associated with public Trello boards have been collected and put up for sale on the Dark Web — opening the door to account takeovers and spear-phishing attacks down the line. Trello parent Atlassian says its made changes to a critical API to help prevent scraping attacks from happening again — but is downplaying its responsibility for the incident, researchers say.
Trello, a project-management and collaboration platform, offers the ability to make its boards (i.e., workspaces) publicly findable for easier collaboration across disparate companies and stakeholders. The administrator of a board can invite other people via email to participate on their public boards — and that invite feature is enabled by a REST API.
An enterprising cyberattacker who goes by the handle emo was able to manipulate this API as a form of business logic attack; if someone queried the API using an email address, it would return the public profiles of any boards associated with that email. In this way, emo was able to scrape publicly available data on 15 million Trello profiles (that were available in the format trello.com/[username], which is how emo was able to associate usernames and emails together).
Attacks like this are pretty easily constructed and sent, once the attack is known to work, says Jason Kent, hacker in residence at Cequence Security. The threat actor will test various systems for information, and when a pattern emerges they can use
generative AI
or existing scripts to create an attack in a few minutes. They only need to find that an endpoint is giving data as a result of a request, then figure out if the request can be changed to get new data. We call this the Unholy Trinity because it is usually on an API they werent aware they had, it isnt requiring authentication, and [it] often contains sensitive data.
An Atlassian spokesperson notes that there was no unauthorized access to internal Trello systems, but acknowledges that the API needed a tighter configuration.
Given the misuse of the API uncovered in this investigation, weve made a change to it so that unauthenticated users/services cannot request another users public information by email, she explains to Dark Reading. Authenticated users can still request information that is publicly available on another users profile using this API. This change strikes a balance between preventing misuse of the API while keeping the invite to a public board by email feature working for our users.
She adds, We will continue to monitor the use of the API and take any necessary actions.
A quick check by Dark Reading showed that indeed, users who are not signed in are now blocked from viewing trello.com/[username] profiles.
The Atlassian spokesperson framed the incident as impacting only information that was already public -- intimating that users are responsible themselves for what ends up in scrapers hands.
After an exhaustive investigation ... all evidence points to a threat actor testing a pre-existing list of email addresses against publicly available Trello user profiles, the Atlassian spokesperson says. The threat actor only obtained Trello user profile information that was already publicly available and combined this information with email addresses that the threat actor had obtained from another source.
Kent believes that this is a bit of disingenuous spin. Trello is saying this is all public data as a defense, but I would be willing to bet their terms and conditions do not permit me coming along and dumping out their entire database for my own use. I would also bet that the users of the systems dont expect this is normal behavior either.
While scraping of public data does not technically constitute a data breach, Troy Hunt, founder and CEO of Have I Been Pwned (HIBP) and a Microsoft regional director,
has pointed out
in the past that because people dont generally have an expectation that their data has been inappropriately accessed, redistributed and in all likelihood, abused, companies have been increasingly held to account over allowing it to happen. Its for this reason, for example, that Facebook got into hot water over the
Cambridge Analytica scandal
, and subsequently
added data scraping to the Meta bug-bounty program
as a threat vector.
He tells Dark Reading, Trello seems to recognize that scraping of this nature shouldnt occur based on the technical controls [i.e. tightening the API] theyve implemented, but hasnt really acknowledged that in their communications.
In absence of software providers focusing on preventing data scraping, Kent suggests that businesses should always have their critical business applications penetration-tested to uncover potential API and business logic issues like this.
To gain such scale with data scraping, the hacker was clearly working from a sizeable pool of known email addresses and an automated approach. But where did they come from?
According to Hunt, when he
added the Trello data to the HIBP database
of compromised credentials, every single one of the email addresses in emos collection had already been added at some point in the past. Hunts spot-check of 500 of the Trello emails revealed some of the sources:
Wattpad: 183
Canva: 174
Dropbox: 132
Twitter200M: 129
Collection1: 123
Gravatar: 120 PDL: 118
Nitro: 104
Deezer: 94
LinkedIn: 91
As for the risk to businesses, having such publicly available emails already collected into a nice, neat, voluminous database makes it a lot less labor-intensive for cybercriminals to mount brute-force attacks and credential stuffing for account takeovers.
Id be ... worried about credential stuffing from other username and password pair dumps, Hunt notes, given the massive scale of prior data dumps that include associated passwords, like the infamous
Collection 1 password database
from 2019.
And indeed, given that Trello boards contain plenty of proprietary data on in-progress and completed projects alike, affected businesses will want to ensure that theyre protected with additional security controls such as multifactor authentication (MFA), not simply passwords alone.
Cybercriminals appear to be having increased success in performing credential stuffing attacks in the past few months, Joseph Carson, chief security scientist and advisory CISO at Delinea, says, pointing to the just-disclosed
Jasons Deli attack
as an example. When storing sensitive data, users need to make sure they use unique credentials on every account by using a password vault, a password manager, or a privileged access management solution. They should also use MFA so that even when accounts are compromised, the password is not the only security control protecting their data.
Theres also a very real opportunity around phishing, according to Kent.
Most of the follow-on attacks from this type of breach are contextual in nature, he notes. Think of a phishing attack but I already know you are part of this system. I might send you a breach notification to reset your password, and have you click a link. That link might install malware or do something else. The context of the data makes it super important.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Atlassian Tightens API After Hacker Scrapes 15M Trello Profiles