Thursday 8 January 2015

Trello iCalendar feed - Information Leakage (fixed)

+Trello recently changed the protocol of the iCalendar feed URI that they provide in their Calendar power-up.

Previous feed format:

webcal://trello.com/calendar/abc/def/ghi.ics

New:

https://trello.com/calendar/abc/def/ghi.ics

This changes how a Calendar clients retrieves the calendar feed. If using webcal, the client will query the host over HTTP with the full feed URI (Just changing webcal to http). Trello responds with a 302 pointing to the same URI, but with the protocol replaced with https.

Observing network traffic in Wireshark:



It is trivial for anyone in control of the network or any passive attacker on a wireless network to retrieve the same and get full read-only access to all cards on a board that has the power-up enabled and is marked with a date. With the new feed (using https), no communication takes place in the clear.

This is more of a limitation of the webcal protocol that doesn't have any way to specify secure communication. I suggested replacing webcal with https as it worked for the client I tested with (Calendar.app on OSX), but this would probably need testing with other Calendar clients before being pushed as a fix.

Response timeline.


I reported this on 2015/5/1 at 06:30 EST.

First (human) response: 2015/5/1 14:27 EST.

Acknowledging issue: 2015/5/1 14:43 EST - Saying issue was previously reported and fix was expected sometime this week.

Fixed: 2015/8/1 09:07 EST - webcal replaced with https.

+1 for Trello security.

No comments:

Post a Comment