Trello is a New York-based, Australian-owned company whose self-named application is an easy-to-use project management and scheduling application. Anyone can log in and create task lists for themselves, their household or their team at work. Trello uses a "freemium" business model, providing basic features at no cost to individuals and small organizations as well as offering a variety of fee models with additional features that cater to large organizations. The web-based software is popular, offering integration with other management tools such as Microsoft Teams that greatly expand their capabilities.
At home, Trello can help organize errands, family projects and vacations, to name a few. At work, it can keep teams on track, organizing tasks over the week, quarter and year, for example, and moving them between various categories, such as from "backlog" to "in process" to "completed." Each task can be assigned to and divided among members of the team.
But there's a major problem with Trello's boards: Although by default the data entered on them is private, all that's needed to make them available to the general public is to change one simple setting. When I say "the general public," I also mean to Google’s search engine and all other search sites, which scrape the boards marked public and include their contents in search results.
When the public board exposes a family's errands and shopping lists it’s not really a disaster. If the boards are for the development team of a software company, the problem could be much bigger. What could be several times more problematic? If military organizations use the application. And unfortunately, that is exactly what is happening: More than a few Israeli military units use Trello, exposing highly classified military information. Even the Spokesperson's Unit of the Israel Defense Forces uses Trello, exposing information best kept secret.
How easy is it to look at the tasks and schedules of quite a few IDF units? Very, says Yam Mesicka, a security researcher. All you need to do is to search, on Trello itself – remember, it's free to join and use – for military keywords such as "commander," "Maj." or "Dept. chief" (in Hebrew). In fact, you don't even have to sign up for Trello: Typing site:trello.com followed by the search term into Google or a different search engine will return the same results.
Mesicka found dozens of Trello boards from a number of IDF units, tasks and schedules – including highly classified information – as well as less-classified information that no military unit would want to be available to the world at large.
The saddest part of all this is that what I'm reporting here is not new; there have been numerous articles and news reports on the subject over the past several years. Military units are not supposed to post classified data on the internet, both generally but certainly not through software programs. Nonetheless, if they do transgress, they should at least not change the privacy settings to "public" and expose their boards to any bored Iranian intel officer with access to Google.
- Use of Google Forms leaves Israeli Air Force exposed
- IDF coronavirus app revealed personal details of every serving Israeli soldier
- Why trolls keep ‘Zoom-bombing’ your kid’s lessons – and how to stop it
So if you are in charge of the Trello boards for a military unit or even a private company, please make sure they are protected and private. It's very easy to do: Just click on the name of the board and make sure that “Visibility” is set to Private.
In a written statement, the IDF Spokesperson's unit said: "The IDF has approved, supervised platforms for the use of soldiers online. These soldiers are instructed in information security briefings not to provide personal details or details concerning their military service online via links or platforms that are not official and approved by the army. Any deviation from these instructions is reviewed and dealt with accordingly. These cases have been dealt with and the instructions were clarified."
The response is identical to the one given in regard to my last report on a data breach in the IDF. After a cursory examination, it turns out that there are many Trello boards defined as public – military units using Microsoft Teams and the Trello should carry out this check on their own to make sure their information is safe.