Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Can I prevent a user from adding users to a personal board without their permission?

Max Suica
Max Suica June 14, 2017

According to Adding people to a board in the trello docs, a user is able to create a board and then add any other user to that board, either as an admin or ordinary user. All they need is the user's name; the added user will then be notified that they've been added to the board, and that board will appear in the user's list of personal boards.

We recently had an incident where a former employee added a board to the personal boards of a company manager. This did not cause any damage, but it has raised concerns that the method could allow a malicious user to spam, harass, or phish members of the company.

Are there any protections against this?

For instance, it would be useful to:

  1. Allow users to add an offending user to a list of blocked users.
  2. Replace the default "User has added you to the board XYZ" notification with an invite

This question has been asked on StackOverflow. However the answer there does not acknowledge that a user can add another user to a board without permission, or address the implied security risk. I haven't found any other mentions of this question, nor do any of the business or trello gold features seem to address this concern. Looking forward learning trello's solution to this threat, and updating the StackOverlflow entry. Thanks!

- Max

Answer
Watch
Like Stephen Anderson likes this
2352 views

2 answers

0 votes
Max Suica
Max Suica June 19, 2017

Hi Torben,

Thanks for your reply. Looking back I see I may not have been entirely clear on the issue. Forgive me for the length of what follows, but I feel this is an important issue to illustrate.

I mention this all only because we recently had a situation very similar to the one below, where a rogue former employee was able to add some disparaging content to the personal boards of the company owner. However, I believe it represents a security risk that is applicable to a wide variety of teams.

The Scenario:
Imagine we have a small team with members Bob, Alice, and Caleb. Say also we have a hacker called MaliciousDave, trying to hack the team. 

The Attack:
Dave can create a board full of dangerous or unwanted content, call it MaliciousBoard. This board can have some nasty content, for instance:

  • links to malware and phishing attempts
  • spam and advertisements
  • personally harassing content
  • and lots more

At this point, MaliciousDave can add Bob, Alice, and Caleb to this board. This would happen without team member permission, and the board would appear in the team's list of personal boards. Finally, Dave can remove himself from the board.

The Risk:
Suppose Alice misses the board addition notification. Instead, she stumbles upon MaliciousBoard by accident one day. She checks out its membership and sees Bob and Caleb, and accidentally mistakes it for a new team board.

Alice is now at risk of being exposed to dangerous content.

For instance, she may click an innocent looking link that asks her to provide some password, or downloads a virus. This is a security risk potentially as nasty as phishing emails.

Solutions:
Social and traditional platforms handle this kind of risk in a few different ways, for instance:

  • Twitter lets us block users after we learn they're malicious
  • Facebook has a separate inbox for message requests from strangers
  • Email blocks spam from unknown users and may require users to whitelist expected emails

The simplest solution might be to ensure that a stranger can only invite a user to a new board, and not add them outright. This might be a setting only available to business teams, and it might entail the creation of a list of "trusted members" that each team member would maintain.

Conclusion
I hope I've illustrated the risk of Trello's current board member addition model. Namely, there's a serious risk that a malicious user can use Trello to hack or harass team members by adding team members to a specially crafted malicious board. This has happened at our company recently and has left our confidence in Trello a bit shaken.

I've proposed a relatively simple solution in the form of an "invite only" policy for untrusted members. I believe this is a significant risk, and that securing against this kind of attack would be a valuable addition to Trello.

View More Comments
Stephen Anderson
Stephen Anderson January 5, 2018

Thank you for raising this issue. Have you heard anything back from anyone at Trello?

Today I was added to a malicious board. The board contained random pictures and an inappropriate URL as the title of a list. I did not try to visit the URL, but it was clear that it was malicious.

Here's what I found surprising:

  • There is no way for me to block myself from being added to boards (either in general, or to block this specific user from adding me to board)
  • Once I was added to a board, my username was shown in a list of members on the board, which I believe exposes me to be added to even more boards that I don't want to be added to.
  • There was no way to report the board as inappropriate, SPAM, or potentially compromised account.
  • Trello has been silent in responding to your concerns.

What ideas do you have for elevating this to someone at Trello so we can actually get some traction on the resolving this issue? Are there any similar threads that you recommend I comment on, or like, to help elevate the profile of these concerns and the simple fixes that could be employed?

Like Huy Hoàng likes this
Stephen Anderson
Stephen Anderson January 5, 2018

Update: I did just find a way to report abusive behavior. I just reported this to Trello and asked that they also take a look at and respond to this thread. Here's how I reported it.

  • Click on Trello profile in upper right hand corner
  • Click "Help"
  • Click "Send us a message"
  • Select from the topic dropdown "I need to report abusive behavior"

Trello should really make it easier to report abusive behavior. Hopefully someone will respond to this thread and give us an update of what they are doing or planning to do in this space to make Trello more secure.

Like
Mike
Mike
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 5, 2018

Hi Max,

 

You bring up very valid points, and this is something we're considering. Ultimately, we know that the current process does leave some doors open for situations like this, and the team is working on how to improve that for the future. Beyond that, I don't have any specifics to share or timeframes, but the team is most definitely aware that this is an area for improvement.

 

To put Torben's comment in some context, Trello tends to keep the ability to collaborate at the forefront of everything we do. Even the addition of one step to have to accept an invitation is something that would be carefully considered and evaluated as that also adds one more blocker between legitimately adding another person to a board to collaborate, which happens much more frequently. Any change like that needs to make sure it's not stepping on any toes and doesn't hinder the experience we intend for Trello.

 

Again, let me reassure you, this is an area the team is working on, and we hope to have new abilities available here before long.

Like
Steve Basford
Steve Basford April 4, 2022

"To put Torben's comment in some context, Trello tends to keep the ability to collaborate at the forefront of everything we do"  - when you start to invite a user, using their email even and before it works out it is an email, various random users with the same name as you are typing appear, the majority of them will not be the person you're looking for.  Some of the names will appear identical, leading to inviting the wrong individual.  Blocked users also appear in the list.  All very very strange

Like
Reply
0 votes
Torben_trello
Torben_trello
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 19, 2017

Hi Max,

Because Trello is at heart a social collaboration app, we took our cues from the major social networks like Twitter, where you can easily search people on the site, but cannot see anything more about them than what they choose to make public. This means that your name, avatar, and bio show up publicly, but not your email address, and only public boards and teams will show up on your profile.

However as a board admin you can control who can invite further users to your board, so you could allow only board admins to add and invite others - not any other user on the board.

View More Comments
Max Suica
Max Suica June 25, 2017

Hi Torben,

Have you gotten a chance to review my comments below? 

Like
Stephen Anderson
Stephen Anderson January 5, 2018

Could someone from Atlassian please review this and provide a response?

Like
Steve Basford
Steve Basford April 4, 2022

-

Like
Reply

Suggest an answer

Log in or Sign up to answer
Trello
Trello
TAGS
AUG Leaders

Atlassian Community Events

    See all events