Trello Username Enumeration Vulnerability

WS201506 – Trello Username Enumeration Vulnerability
by David Sopas @dsopas
www.websegura.net

Description:

I found another security issue on Trello.
It’s a different type of vulnerability and I come across by this by pure luck.
That’s why we shoud always have Google Inspector open… You never know when you’ll find something interesting.

When trying to reset my account on Trello I found that when you mistype your email it will return HTTP code 404. So I remember that last year a security researcher found something similiar on Facebook to know what emails are registered under that social network.

That way a malicious user could get Username Enumeration using a proxy tool [like Burp] to automatize this task and get valid users because a valid user returns always HTTP code 200.

trello.com/forgot

trello_200

trello_404

Trello replied:

Thanks very much for following our responsible disclosure practices. We really appreciate it!
You’re correct that this is excluded from our HackerOne page – we’re aware of how that page works and the implications of that behavior. That said, thanks again for taking the time to report the issue.

Timeline:

13 Mar 2015 – Reported to Trello
13 Mar 2015 – Trello replied they’re aware of this issue
13 Mar 2015 – I asked to full disclosure
16 Mar 2015 – Trello accepted my request

Achaste interessante? Partilha!