Trello bug bounty: Payments informations are sent to the webhook when a team changes its visibility

This bug has been partially disclosed by Trello. This blog post gives additional information about the bug.

Trello offers a great API called webhook. It allows to set a webhook on a Model such as a board, a card or a list... You pass as parameters the model id and an URL and each time that the model will be updated, Trello will POST the updated data to the URL. From a developer point of view, it's convenient to keep the data about a model updated without regularly polling the Trello API.

To create a webhook easily you can use the Trello sandbox.

Trello sandbox to test the API

The first step is to set up a server that will receive and display the data posted by the Trello server. To do that I created an API that offers a POST web service that takes the payload sent with the request and displays it in the logs.

Once the server is ready to receive and display the POST requests, you just have to create a webhook. It is possible to create a webhook even if you have no rights on the model, then the Trello API will decide to send the data or not regarding your rights. That was the goals of my testing, see if in some cases the data are sent even if you have no rights on the model.

I used two accounts, User1 is admin of a company with a paid account (business class) and User2 is a lambda user. User2 set a webhook on the User1's company. The goal was to test if some data was sent when the company is public (which is normal) but also when the company is private.

I did several tests like adding a public, team visible or private board. The webhook received only the public data. Doing my test I switched several times the company visibility from public to private to test in both cases. During the switch I saw that the prefs object for the company was sent to the webhook because one of these preferences is the visibility of the company. Nonetheless the prefs object was also containing some sensitive data for the company (I replaced sensitive data with stars):

"paidAccount": {
    "billingDates": {
        "98": "Thu May 05 2016 00:00:00 GMT-0400 (EDT)"
    },
    "canRenew": true,
    "cardLast4": "****",
    "cardName": "Courtial Florian",
    "cardType": "Visa",
    "contactEmail": "*****@gmail.com",
    "contactFullName": "Florian Courtial",
    "contactLocale": "en-US",
    "credits": 0,
    "dateStandingChanged": "2016-04-05T10:40:45.823Z",
    "ixSubscriber": 846831,
    "standing": 3,
    "usedCreditsWhenLastBilled": false,
    "products": [98]
 }

These data are partial payment information, you can use them for instance when you call the PayPal customer service to prove your identity.

As it is possible to set webhooks on private companies, this vulnerability was easily usable.

Trello has been quick to react, in less than two hours it was fixed. Furthermore they audited the webhooks that existed at the time that this bug existed and found nothing (which is cool).

They awarded me a good bounty of $1,536.