Skip to main content

U.N. security blunder left secret Trello boards, Google Docs exposed

Image used with permission by copyright holder

Secretive documents related to the United Nations were left vulnerable to unauthorized access by anyone who stumbled upon the right link, after Trello, Jira, and Google Docs accounts were left improperly configured by staffers. The security gaffe left passwords, organizational documents, and security plans belonging to governments of the United Kingdom and Canada open to the web.

Maybe they should have read our guide on how to use Google Docs.

Although each of the unsecured documents did require a unique URL in order to be accessed, that proved far from an effective protective measure when security researcher Kushagra Pathank discovered links to a U.N.-controlled Trello organizational board. In that tool’s ‘card’ system, he went on to find other links to other documents that lead to Google documents and U.N. pages on Jira, an issue-tracking service. These in turn had more links, all of which contained sensitive information. In total, Pathank discovered some 50 boards and documents that he was able to access because of the lack of security options implemented during their setup.

Some of the information he was eventually able to glean from these documents included access to a remote U.N. FTP server, credentials to log in to a Google and Vimeo account associated with the U.N.’s language and learning program, remote access information for certain U.N.-linked meetings, and detailed information about the U.N. website and its development.

Pathak contacted the U.N. in late August to inform it of the issue. Although, as The Intercept highlights, the organization’s technical department ran into some problems replicating the issue, much of the sensitive content has now been taken down or protected behind security credentials. In a statement to The Intercept, a U.N. spokesperson said that all relevant staff had been warned about trusting third-party tools and services with sensitive information and that they should make necessary precautions to protect such data in the future.

Despite rhetoric to the contrary, Pathak believes that much of these latest security concerns arose simply because leaving boards unsecured is easier than securing them. By not adding users to boards and locking them to authorized accounts only, U.N. staffers were able to share URLs in order to give others access. “Adding people to the board seems to be a huge task for these people, but in fact it is really easy,” Pathak said in a statement.

Editors' Recommendations

Jon Martindale
Jon Martindale is the Evergreen Coordinator for Computing, overseeing a team of writers addressing all the latest how to…
Elon Musk says ‘thousands’ of humanoid robots could be working at Tesla in 2025
Tesla's humanoid robot in 2024.

2024 Annual Stockholder Meeting

Tesla chief Elon Musk has shared new footage of the company’s humanoid Optimus robot, along with an update on how development of the robot is progressing.

Read more
Why 1Password continues to beat its biggest rivals
A side-by-side comparison of Dashlane and 1Password pricing appears on a PC monitor.

The best password managers help bridge the gap between devices and people. Instead of walled gardens and sharing hassles, top-rated solutions from 1Password and Dashlane can bring order and simplicity to login management.

I recently reviewed two of the most popular password managers and can share some insights about their unique features to help you choose the one that best suits your needs.
Tiers and pricing
A side-by-side comparison of 1Password and Dashlane pricing. Digital Trends

Read more
Microsoft is backpedaling on Recall, but it’s for the best
Microsoft's CEO introducing Copilot+.

Four days. We're just four days away from Microsoft releasing the first wave of Copilot+ PCs, which have been available for preorder for almost a month, and Microsoft has decided to delay the marquee feature of the new devices, Recall. The AI-powered photographic memory feature has been mired in controversy since its introduction, with some going as far as to call it a "PR nightmare."

Although the delay completely undermines Copilot+, it's ultimately the right move for Microsoft. From the PR nightmare perspective, Microsoft has been here before with its rushed AI features. It's hard to forget the ripple that Bing Chat caused last year when it told me it wanted to be human, and if we saw anything on that level out of Recall, it would have been even worse. Delaying Recall is the right decision, but it comes after the feature caused a frenzy in the PC industry in the first place.

Read more