Can I prevent a user from adding users to a personal board without their permission? Edited

According to Adding people to a board in the trello docs, a user is able to create a board and then add any other user to that board, either as an admin or ordinary user. All they need is the user's name; the added user will then be notified that they've been added to the board, and that board will appear in the user's list of personal boards.

We recently had an incident where a former employee added a board to the personal boards of a company manager. This did not cause any damage, but it has raised concerns that the method could allow a malicious user to spam, harass, or phish members of the company.

Are there any protections against this?

For instance, it would be useful to:

  1. Allow users to add an offending user to a list of blocked users.
  2. Replace the default "User has added you to the board XYZ" notification with an invite

This question has been asked on StackOverflow. However the answer there does not acknowledge that a user can add another user to a board without permission, or address the implied security risk. I haven't found any other mentions of this question, nor do any of the business or trello gold features seem to address this concern. Looking forward learning trello's solution to this threat, and updating the StackOverlflow entry. Thanks!

- Max

2 answers

0 vote

Hi Max,

Because Trello is at heart a social collaboration app, we took our cues from the major social networks like Twitter, where you can easily search people on the site, but cannot see anything more about them than what they choose to make public. This means that your name, avatar, and bio show up publicly, but not your email address, and only public boards and teams will show up on your profile.

However as a board admin you can control who can invite further users to your board, so you could allow only board admins to add and invite others - not any other user on the board.

Hi Torben,

Have you gotten a chance to review my comments below? 

Could someone from Atlassian please review this and provide a response?

Hi Torben,

Thanks for your reply. Looking back I see I may not have been entirely clear on the issue. Forgive me for the length of what follows, but I feel this is an important issue to illustrate.

I mention this all only because we recently had a situation very similar to the one below, where a rogue former employee was able to add some disparaging content to the personal boards of the company owner. However, I believe it represents a security risk that is applicable to a wide variety of teams.

The Scenario:
Imagine we have a small team with members Bob, Alice, and Caleb. Say also we have a hacker called MaliciousDave, trying to hack the team. 

The Attack:
Dave can create a board full of dangerous or unwanted content, call it MaliciousBoard. This board can have some nasty content, for instance:

  • links to malware and phishing attempts
  • spam and advertisements
  • personally harassing content
  • and lots more

At this point, MaliciousDave can add Bob, Alice, and Caleb to this board. This would happen without team member permission, and the board would appear in the team's list of personal boards. Finally, Dave can remove himself from the board.

The Risk:
Suppose Alice misses the board addition notification. Instead, she stumbles upon MaliciousBoard by accident one day. She checks out its membership and sees Bob and Caleb, and accidentally mistakes it for a new team board.

Alice is now at risk of being exposed to dangerous content.

For instance, she may click an innocent looking link that asks her to provide some password, or downloads a virus. This is a security risk potentially as nasty as phishing emails.

Solutions:
Social and traditional platforms handle this kind of risk in a few different ways, for instance:

  • Twitter lets us block users after we learn they're malicious
  • Facebook has a separate inbox for message requests from strangers
  • Email blocks spam from unknown users and may require users to whitelist expected emails

The simplest solution might be to ensure that a stranger can only invite a user to a new board, and not add them outright. This might be a setting only available to business teams, and it might entail the creation of a list of "trusted members" that each team member would maintain.

Conclusion
I hope I've illustrated the risk of Trello's current board member addition model. Namely, there's a serious risk that a malicious user can use Trello to hack or harass team members by adding team members to a specially crafted malicious board. This has happened at our company recently and has left our confidence in Trello a bit shaken.

I've proposed a relatively simple solution in the form of an "invite only" policy for untrusted members. I believe this is a significant risk, and that securing against this kind of attack would be a valuable addition to Trello.

Thank you for raising this issue. Have you heard anything back from anyone at Trello?

Today I was added to a malicious board. The board contained random pictures and an inappropriate URL as the title of a list. I did not try to visit the URL, but it was clear that it was malicious.

Here's what I found surprising:

  • There is no way for me to block myself from being added to boards (either in general, or to block this specific user from adding me to board)
  • Once I was added to a board, my username was shown in a list of members on the board, which I believe exposes me to be added to even more boards that I don't want to be added to.
  • There was no way to report the board as inappropriate, SPAM, or potentially compromised account.
  • Trello has been silent in responding to your concerns.

What ideas do you have for elevating this to someone at Trello so we can actually get some traction on the resolving this issue? Are there any similar threads that you recommend I comment on, or like, to help elevate the profile of these concerns and the simple fixes that could be employed?

Update: I did just find a way to report abusive behavior. I just reported this to Trello and asked that they also take a look at and respond to this thread. Here's how I reported it.

  • Click on Trello profile in upper right hand corner
  • Click "Help"
  • Click "Send us a message"
  • Select from the topic dropdown "I need to report abusive behavior"

Trello should really make it easier to report abusive behavior. Hopefully someone will respond to this thread and give us an update of what they are doing or planning to do in this space to make Trello more secure.

Hi Max,

 

You bring up very valid points, and this is something we're considering. Ultimately, we know that the current process does leave some doors open for situations like this, and the team is working on how to improve that for the future. Beyond that, I don't have any specifics to share or timeframes, but the team is most definitely aware that this is an area for improvement.

 

To put Torben's comment in some context, Trello tends to keep the ability to collaborate at the forefront of everything we do. Even the addition of one step to have to accept an invitation is something that would be carefully considered and evaluated as that also adds one more blocker between legitimately adding another person to a board to collaborate, which happens much more frequently. Any change like that needs to make sure it's not stepping on any toes and doesn't hinder the experience we intend for Trello.

 

Again, let me reassure you, this is an area the team is working on, and we hope to have new abilities available here before long.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Apr 23, 2018 in Trello

Using Trello to manage events

As a Jira power user, I was at first doubtful that Trello could benefit my workflow. Jira already uses boards (ones you can customize!), so why would I even need to use Trello?! In this post you will...

808 views 10 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you