The U.N. accidentally released passwords, internal documents, and other sensitive details when it failed to properly secure its accounts on Trello, a popular workplace project management website.
According to The Intercept, “[a]ffected data included credentials for a U.N. file server, the video conferencing system at the U.N.’s language school, and a web development environment for the U.N.’s Office for the Coordination of Humanitarian Affairs.” It was made available to anyone who had the links to the material as opposed to specific users granted access.
The security slips were first identified by Security researcher Kushagra Pathak back in August after he conducted Google searches, which led him to public Trello pages that also linked to Google documents and Jira pages. Jira is an “issue tracking app,” as noted by The Intercept.
Despite Pathak’s attempts to notify the U.N., the international governing body first took two weeks to respond and verify they would investigate his concerns. A little over a week later, they told him they were unable to locate the vulnerabilities and asked for more information on how he located the exposed information. “May we request you to provide the exact Google search criteria that was used?” they asked him.
Throughout this time, he continued to send them his findings on the publicly available information. “In all, he reported 60 Trello boards, several Google Drive and Google Docs links that contained sensitive information, and sensitive information from a public U.N. account on Jira,” The Intercept reports. The outlet also says they contacted the U.N. on September 12, and a day later, they started taking down the exposed information.
In an email statement to The Intercept, U.N. spokesperson Florencia Soto Nino-Martinez said :
“Some of the boards listed have communications materials which are not sensitive, while some have outdated information. However, we are reviewing all boards on the list to ensure that no passwords or credentials are shared through this medium.”
She also said:
“We take security very seriously and have reached out to all staff reminding them of the risks of using a third-party platform to share content and to take the necessary precautions to ensure no sensitive content is public.”
The Intercept noted “just some” of the information made available to the public:
- A social media team promoting the U.N.’s “peace and security” efforts published credentials to access a U.N. remote file access, or FTP, server in a Trello card coordinating promotion of the International Day of United Nations Peacekeepers. It is not clear what information was on the server; Pathak said he did not connect to it.
- The U.N.’s Language and Communication Programme, which offers language courses at U.N. Headquarters in New York City, published credentials for a Google account and a Vimeo account. The program also exposed, on a publicly visible Trello board, credentials for a test environment for a human resources web app. It also made public a Google Docs spreadsheet, linked from a public Trello board, that included a detailed meeting schedule for 2018, along with passwords to remotely access the program’s video conference system to join these meetings.
- One public Trello board used by the developers of Humanitarian Response and ReliefWeb, both websites run by the U.N.’s Office for the Coordination of Humanitarian Affairs, included sensitive information like internal task lists and meeting notes. One public card from the board had a PDF, marked “for internal use only,” that contained a map of all U.N. buildings in New York City. Another card had an attached PDF that included a phone tree with names and phones numbers of people working for a division of U.N.’s human resources department. Some cards contained links to internal documents hosted on Google Docs that, in turn, contained sensitive information about web development projects, including a web address and password to access a staging environment to test early features of the website.
- The U.N. website developers also used a public Jira bug tracker that contained detailed technical information about how the sites were developed and what issues they were having.
Pathak says he thinks organizations make their sensitive information public simply because it’s easier. They can “share the details present on the board with their team members just by sharing the URL of the board with them without adding them to the board,” he said.