Security Data Breach: Trello API Misuse Reveals Email Links to 15M Accounts
The Trello API breach exposed email links of 15M accounts. The breach highlights the need for strong rate limiting, authentication, and security assessments to protect user data.
Medusa
5 Mins
What happened on trello breach?
Last week, reports emerged about a Trello data breach. Someone going by the name 'emo' tried to sell the information of 15,115,516 Trello users on a well-known hacking forum. The data includes emails, usernames, full names, and other account details. The post on the forum stated, "I'm selling one copy to anyone interested. Message me on-site or on Telegram.
While the majority of information in these profiles is public, the associated email addresses are not.
Who is affected?
Trello is a helpful online tool owned by Atlassian. Businesses often use it to organize information and tasks on boards, cards, and lists.
Key Terms to Understand:
Rate Limiting : Rate limiting in the context of an API (Application Programming Interface) is a technique used to control the number of requests a user or client can make to the API within a specified time period. The purpose of rate limiting is to prevent abuse, misuse, or overuse of the API, ensuring fair usage and maintaining the overall performance and availability of the service.
Exposed API : An exposed API signifies accessibility without adequate security measures, potentially posing privacy and data integrity risks. This vulnerability may result from insufficient authentication, authorization, or unintentional configuration errors, allowing unauthorized users or systems to access and manipulate the API.
API Exploitation
Trello API creates a potential linkage between confidential email addresses and Trello user accounts, giving rise to the possibility of generating numerous data profiles encompassing a blend of publicly available and private information.
Trello provides a REST API, allowing developers to seamlessly integrate the service into their applications. Among the various API endpoints, there is one that enables developers to retrieve public information about a user's profile based on their Trello ID or username.
However, 'emo' uncovered that this API endpoint could also be queried using an email address. If an associated account exists, one can retrieve the corresponding public profile information.
It's crucial to note that this API was publicly accessible, meaning it could be queried without the necessity of logging into a Trello account or using an API authentication key.
Subsequently, the threat actor compiled a list of 500 million email addresses and input them into the API to ascertain whether they were linked to a Trello account.
Trello's API imposes rate limits per IP address. To circumvent this restriction, the threat actor claimed to have acquired proxy servers, allowing them to rotate connections and continuously query the API.
Question: How did the attacker discover the existence of another email parameter?
Attackers may employ techniques like fuzzing, where they systematically submit various inputs (including email addresses in this case) to see how the system responds. By observing the API's behavior, the attacker could identify that it accepts email addresses as valid queries and returns relevant information, possibly leading to the exposure of user data.
Why testing hidden parameters is important?
Testing for hidden parameters in APIs is important because it helps uncover potential vulnerabilities or unintended functionalities that could be exploited by attackers. APIs may have additional parameters that are not publicly documented or visible, but can still be accessed and manipulated by malicious actors. By testing for hidden parameters, developers can identify and address these issues before they are exploited by attackers.
Check out this blog to understand the top 10 best practices for APIs.
Credential Stuffing Attack
Hunt reported that when he included the Trello data in the HIBP database of compromised credentials, every email address from emo's collection had already been previously added. In a sample check of 500 Trello emails, Hunt identified the following sources:
Wattpad: 183
Canva: 174
Dropbox: 132
Twitter200M: 129
Collection1: 123
Gravatar: 120
PDL: 118
Nitro: 104
Deezer: 94
LinkedIn: 91
This compilation of publicly available emails in a comprehensive database streamlines cybercriminals efforts in conducting brute-force attacks and credential stuffing for account takeovers, posing increased risks to businesses.
Trello Response
According to Trello, authenticated users can still access publicly available information from another user's profile using the API. This modification has been made to find a middle ground between preventing API misuse and maintaining the functionality of the 'invite to a public board by email' feature for our users.
Mitigations
To mitigate the exploitation of rate limits, the following steps can be taken:
Implement a more robust rate limiting mechanism that takes into account not just the number of requests, but also factors like the type of requests, user behavior, and anomaly detection.
Implement IP-based rate limiting in addition to user-based rate limiting, to further restrict the number of requests from a specific IP address.
Implement proper authentication and authorization mechanisms for all APIs, including the use of API keys or tokens to ensure that only authorized users or systems can access and manipulate the APIs.
Regularly review and update the API documentation to ensure that all exposed APIs are properly documented and any unintended functionalities are identified and addressed.
Implement security controls, such as input validation and output encoding, to mitigate the risk of API exploitation through techniques like fuzzing.
Conduct regular security assessments, including penetration testing, to identify and address any vulnerabilities in the APIs.
Conclusion
The Trello cyber attack highlights the importance of securing APIs and the risks of exposed APIs. Organizations need to implement strong security measures and ensure proper authentication, authorization, and configuration to prevent unauthorized access and protect user data. The impact of rate limiting should not be underestimated, as threat actors can circumvent limits using proxy servers. Testing for hidden parameters in APIs is crucial to uncover vulnerabilities, and regular security assessments are necessary to identify and address any weaknesses. By learning from this attack, organizations can improve their API security practices and better protect user data.
Keep reading
API Security
8 minutes
Security Information and Event Management (SIEM)
SIEM aggregates and analyzes security data across an organization to detect, monitor, and respond to potential threats in real time.
News
8 mins
Akto Recognized as a High Performer in G2’s Fall 2024 Reports for API Security and DAST
We’re proud to announce that Akto has been named a High Performer in both the API Security and Dynamic Application Security Testing (DAST) in G2’s Fall 2024 reports.
Product updates
5 minutes
Introducing Akto Code: Automated API Discovery from source Code
Akto Code is the new addition to Akto's API Discovery suite, complementing our existing capabilities for traffic source analysis in production and lower environments.