Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

I'm shocked by a possible bizarre security flaw in Trello

Non Nominal
Non Nominal November 21, 2024

I activated 2-factor authentication using a security key, and when I logged in on my desktop device, the authentication login was simply "bypassed". Through Windows Security.

The Windows security tab automatically opens, I enter my computer's PIN (which email has nothing to do with the Trello account) and I can simply access my Trello account without authentication.

This assumes that anyone who has my password could very well access my Trello account from another device since the authentication is flawed. And a person with any other computer and PIN can access it.

In this sense, it makes more sense to just have a super strong password...

Is there something I'm being ignorant about and can't verify in another way? Please help me, because I can't find any reason why access was granted, since there is nothing on my desktop device linked to the same Trello email account that could have granted access to the account. In my opinion, nothing could grant access without the security key or without it being linked/saved somewhere on the computer.

I'm shocked. Because there has already been a leak of Trello data, hasn't there?

Answer
Watch
Like Be the first to like this
144 views

1 answer

1 vote
Gaurav Kataria
Gaurav Kataria
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 21, 2024

Could you please share if you logged out of Trello on your Windows desktop and the same issue still persisted? I am asking because browsers store the current session cookie, and will allow you to keep accessing the app unless you reset the session by logging out. (Once you logout, then the 2-factor authentication would be enforced for the subsequent login)

View More Comments
Non Nominal
Non Nominal November 21, 2024

Hi Gaurav Kataria, thanks for your reply.

I understand what you mean. I didn't exit the browser.

However, I use the Mozilla browser and the official Mozilla extension "Firefox Multi-Account Containers" that separates tabs by containers and the cookies downloaded by one Container are not available to other Containers.

What I mean is that I went to validate the login in a different container (without cookies), which is the same as saying that I *closed and reopened the regular browser* and this happened.

Before this discovery, I couldn't use the key via the mobile browser (not the app), I was afraid of losing full access to the account and my boards and that's why I hadn't closed the browser and then disabled the key.

Later, I created a new key, where I noticed this apparent security flaw. Where I was able to access via the container (as I explained above: zero cookies) and without having written the key.

Maybe one way is to close the browser... but I understand the following (as far as my layman's knowledge goes, of course): I wasn't even able to use the security key once on the login page to even save it as a cookie or something like that. Understand? I just wrote it down and saved the file in .pdf. Nothing else. And even with zero cookies, it still accessed.

One alternative is to actually try to evaluate by closing the browser, but I'm afraid the same thing might happen as with the cell phone and I won't be able to enter the security key - *where the alternative that leaves me to access the account is a recovery key*, I don't remember the name of the key exactly, nor how it works (but if I'm not mistaken, it's possible to leave this last generated key, just in case). But before that! Try accessing from a third browser and/or computer.

 

Sherlock Holmes online!

 

Just kidding.

 

As soon as I can, I'll do these tests. Since I raised the issue... And I'll give you more details.

Thanks, Gaurav.

 

Like
Non Nominal
Non Nominal November 21, 2024

Hi Gaurav, I've tested it.

I didn't have to look very far.

Apparently, there seems to be a loophole that allows any Windows user to input their computer's PIN and link it to the email address of a Trello account in question. At the time of 2-factor authentication, without any barriers.

 

Here is the step-by-step test (login attempt performed more carefully via Mozilla):

 

Step 1: creating a security key.1.PNG

Step 2: Windows Hello interference at the time of *creating the key*.

 

"Verifying that it is you"

 

"Configure your security key to log into Atlassian as #trello account email#"

Where: I can't create the key without being subject to Windows Hello. So this means that not any external user can access the account in this way through Windows on the login screen. Not without first accessing the account and making this configuration. The configuration was made before the login attempt, at the time of creating the key. 2.PNG2.1: If I enter the PIN, the key is created.

 

2.2: If I click cancel, this new window opens.

3.PNG

"Security key configuration"

"Configure your security key to log into atlassian.com as #trello account email#"

At this point, if I click OK, I enter a path about a USB flash drive. I did not take a screenshot.

If I cancel, I return to the Trello screen and I can try to register the key again.


Therefore, I conclude that it is not a Trello security flaw or incorrect integration with Microsoft, it was my lack of attention when generating the password. I had never experienced this with Windows, regarding Windows Hello, browsers and login.

 

 

 

 

 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Trello
Trello
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
TAGS
AUG Leaders

Atlassian Community Events

    See all events