Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Trello token security issue?

Tags:

javascript

trello

token

api

I'm building an application to send cart to my trello board, but I don't want for users to accept application (for this they must have trello account) instead I created another account ('slave account') and give it read,write permission to my board and generate read,write token that never expires.

On my webpage I include core.js

https://api.trello.com/1/client.js?key=[appkey]&token=[token]

Everything works but... if user checks my code he can see my "app key" and "token".

So my question is:
1. Is this a security problem - visitor can take this app key/token and access bord? (I believe it is)
2. How do I change my code so that visitor of the page doesn't see my app key/token?

thx

like image 338
ajitam Avatar asked Nov 01 '12 21:11

ajitam

People also ask

Is Trello a security risk?

Trello provides a secure experience for customers by keeping their security systems up to date with the best practices. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that organizations must adhere to when handling credit card and debit card information.

Can Trello be hacked?

While enterprise-level accounts have some more options around access and permissions, all Trello users have the same security. There are a lot of ways to hack an account and a lot of ways to gain access to private stuff. All we can really tell you here is that Trello is hack-resistant, like most other web services.

Is Trello a secure platform?

Trello uses industry standard Transport Layer Security (“TLS”) to create a secure connection using 128-bit Advanced Encryption Standard (“AES”) encryption. This includes all data sent between the web, desktop, iOS, and Android apps and the Trello servers. There is no non-TLS option for connecting to Trello.

Is Trello GDPR compliant?

Trello is committed to compliance with the General Data Protection Regulation ( GDPR). The regulation contains the most significant changes to European data privacy legislation in the last 20 years.

1 Answers

If you are making you token available to people, then yes, there is a potential security issue there - with the key and token, they can issue requests as you for any permissions you have granted on that token. So if you want to create a token with write access to the board, you probably want to keep that on the server side, and have your Javascript submit to your server, which then in turn relays that to the Trello site using the token you generated.

If you are worried that you have revealed a token you did not want to, you can invalidate it at the bottom of your account page at https://trello.com/your/account.

like image 145
Brett Avatar answered Oct 02 '22 03:10

Brett
Sign in to Comment

Related questions

Working with Handlebar.js
onclick not working in webkit or mozilla when z-index is negative value
Generate all combinations for pair of bits set to 1?
.Net webApi ISO datetime and IE8
Regexp lookbehind javascript
MongoDB arrays vs objects
Find coordinates of an HTML5 Canvas (click) event, with borders
how to escape <> in javascript underscore template?
How does stackoverflow format textarea when click edit button?
Setting html5 media source using ajax
I am wondering how js fiddle is handling their textareas concerning resizing and their layot
How to setcursor position in GWT RichTextArea
HTML5 iOS volumechange event not fired
Overriding a function without removing static properties
CommonJS - How can I combine jquery and a jquery-plugin into the $ namespace
How to do pagination in Meteor without flicker?
How to implement Javascript ECMA 5's array.map() for sparse array?
Is there an equivalent to PHP's `__FUNCTION__` in JavaScript?
log out from browser if the browser closes in asp .net?
Transition element size caused by content changes

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!