Trello users are again making an error of security already old, exposing their own passwords in frames whose privacy is set to “Public”. The problem became known in 2018, but reflections of it are still showing through the Internet until today.

According to several reports to the Olhar Digital, in addition to some social media security channel profiles, several Trello users are setting their boards for public viewing. The problem is that this ends up listing the contents of the frames in the Google — which allows it to be accessed by anyone with a simple search.


Read also

Image shows a Trello users board, containing password information for internal tools
Frames set to “Public” in Trello are listed by Google search… Image: Olhar Digital/Reproduction
Image shows a Trello users board, containing password information for internal tools
…exposing passwords and login credentials to anyone with a browser. Image: Olhar Digital/reproduction

As you saw in the images above, we conducted our own test to attest to the veracity of the problem and, unfortunately, the situation is real — and very dangerous. In five different attempts, we were able to access tables with company profile passwords on Instagram, access credentials for YouTube channels, social media campaigns with access information to management tools (MLabs, Hootsuite, etc.) and, in one case, passwords of internet banking.

In 2018, the security blog Krebs on Security reported similar cases, involving companies like Uber and even Atlassian Corp, owner of Trello. In the following year, in 2019, around 60 frames marked as “public”, linked to the United Nations (UN) were found – most with access cards to private documents in Google Docs.

Trello himself warns you of the problem

O Olhar Digital tried to contact the press office of Trello in search of a comment, but until the closing of this text, we have not had an answer.

However, the company FAQ it already informs you that public frames are indexed by search engines (such as Google Search) like any other open content, and that setting the privacy setting to “Private” prevents this.

“A public board is visible to anyone on the internet and will be displayed on search engines like Google. Only users added as board members can edit it, but anyone with the link will be able to see it, even if that person doesn't have a Trello account,” says the FAQ.

In this issue, the user has several privacy options for their tables: in addition to "Public" and "Private", there are also settings that allow viewing for only employees of a company or members of a specific department within a company.

Changing the Visibility of a Frame in Trello

Because of the risk of password exposure, Trello typically adjusts the privacy setting of new frames automatically, leaving them closed by default. However, older frames or those where users have made manual adjustments may be at risk.

To resolve this, simply adjust the settings back to a mode where the security of sensitive information is not compromised. But first, you need to know if your frame is accessible.

To do this, just copy the address (URL) from it and paste it into a browser in anonymous mode. If the page opens, the content is public.

With that, just follow the step by step below:

  1. In the upper left corner, next to the frame name, click on the current visibility button, which can be “Public”, “Private”, “Organization (Company)” or “Team”
  2. What you do not want is to leave it on “Public”, then any of the other options will do.

Remember that, in the case of “Organization (Company)”, it is necessary that the frame is inserted inside a Trello business account.

Another important detail: changing your frame's configuration doesn't necessarily eliminate previous indexing done by Google – it just guarantees that it won't show up in new searches. For complete removal, you need to call the search engine support and explain your case.

Have you watched our new videos on YouTube? Subscribe to our channel!