
How I used a Google query to mine passwords from dozens of public Trello boards - timvdalen
https://medium.freecodecamp.org/discovering-the-hidden-mine-of-credentials-and-sensitive-information-8e5ccfef2724
======
throwawaymath
Here is another (Google) search query that yields a lot of email addresses and
passwords:

    
    
        site:vk.com/doc "@gmail.com"
    

As it turns out, vk.com (and other large social networks) are used for
discreetly sharing large lists of credentials. These are publicly crawled by
Google but do not typically end up on lists of email or password breaches. You
can find many credentials this way that are not (for example) in the
haveibeenpwned database.

More generally this is why "google dorking" can be a sophisticated
reconnaissance method for collecting a variety of data that is _technically
public_ but not intentionally so.

~~~
weinzierl
Just to put this in context and because in my experience many people miss this
fact:

vk.com is _huge_.

SimilarWeb ranks it on position eight for worldwide traffic, this is right
after Twitter and above Instagram and Wikipedia.

~~~
jaytaylor
Never heard of this site.

About:

"VKontakte (or VK for short) is a social media networking site. Like most
social media networks you can add friends, gain followers, and post photos of
your food and your cat. VK, like Facebook also gives companies the ability to
create their own pages for marketing purposes."

[https://www.echosec.net/what-is-vk-and-why-should-you-
care/](https://www.echosec.net/what-is-vk-and-why-should-you-care/)

Still don't understand why so many logins are being publicly exposed there.

~~~
guessmyname
> _Still don 't understand why so many logins are being publicly exposed
> there._

• VK is the most popular website in Russia.

• There are many hackers in Russia.

Connect the points.

------
kuschku
You can also search for AWS keys and you’ll find quite a few. Or for Heroku
keys.

It’s funny and sad at the same time.

> the access key for amazon s3 is:
    
    
        User XXXXXXX
        Access Key ID: XXXXXXXXXXXXXXXXXXX
        Secret Access Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    

> Let me know when you've recorded these and I'll delete the comment.

(blacked out by me)

Or fitgoapp, which has publicly accessible services, with passwords "fitgo"
and "fitgoapp" (also visible on trello).

Just go through the entire list of queries at [https://www.exploit-
db.com/google-hacking-database/](https://www.exploit-db.com/google-hacking-
database/) you’ll find so many exposed passwords, it’s crazy. No one ever
properly protects their keys and passwords.

~~~
Sahbak
At a previous company, a new employee accidentally commited his aws
credentials to a public github repo, which had instance creation capabilities.
It got scraped and we had the max amount of instances created at every zone
(we assume for mining). I assume you have bots scraping public sites for those
creds at all times.

------
blowski
I don't know how you'd stop this. If people are so careless with their
credentials, is it the responsibility of sites like Trello to protect them?

~~~
sethammons
I think Trello should be doing similar scraping, automatically. My work does,
granted it is potentially a bit easier in our case. We scan things like GitHub
repos and looks for credentials into our system, and, if found, deactivate the
credential and reach out to the customer.

~~~
guessmyname
Slack does this as well with API tokens, I believe. If they find them in a
commit, they'll automatically revoke them.

~~~
leetcrew
i'm guessing your name is timvdalen?

------
rando444
This guy seems to have given more regard to impressing his twitter followers
than the privacy concerns of these companies.

~~~
martin-adams
Which appears to have backfired when his bug bounty was marked as duplicate by
the looks of things

------
cientifico
With the GDPR, this is not just a security vulnerability. Is a law violation
as not doing best efforts to protect customer private information.

~~~
throwawaymath
I don't think this is a GDPR violation _or_ a security vulnerability.

The purview of GDPR is personally identifiable information, whereas these are
vulnerability details and passwords. If companies were storing their user
lists in Trello boards that might be a bit different, but the examples in this
blog post do not seem to be related to user data. They are also being
volunteered by the companies using Trello, not Trello itself, so a potential
violation would probably be levying fees against individual companies.

It also doesn't strike me as a security vulnerability because it's not a
technical failure in Trello's software. This is closer to accidentally
publishing AWS keys on Github or opening a phishing email, and in neither case
would GitHub or (say) Gmail be responsible for that. There are proactive steps
they can take to mitigate this kind of mistake (as GitHub and Gmail do), and
it's arguable Trello should do the same, but it doesn't seem like a compliance
or security failure whatsoever.

~~~
seanhunter
Although PII is dealt with in GDPR, GDPR doesn't only cover PII, and it makes
numerous references to the obligation on anybody who processes personal data
(not just PII) with respect to security. For example "Personal data should be
processed in a manner that ensures appropriate security and confidentiality of
the personal data, including for preventing unauthorised access to or use of
personal data and the equipment used for the processing."

------
reustle
I wonder if there's some secret group of hackers out there notifying these
people of their clumsiness, urging them to correct it

~~~
nashashmi
Who is clumsy here? The guy who set it up and didn't know how people would be
using the system? The guy who used it and didn't how it was set up?

If the set up is public, is there enough visual cues to the everyday user that
the set up is public?

------
hpathak99
Most responseibly the researcher has informed all the concerned parties..

------
Froyoh
Wow! Makes you think of all the different ways black hat hackers can advise
this!

------
Rjevski
While I appreciate the integrity of the researcher, companies that are so
careless don't deserve responsible disclosure. They deserve someone
anonymously logging in with those credentials and _rm -rf_ 'ing the entire
company and user data.

