Thursday, April 16, 2020

Trello! It is me... you locked the door? User warns of single sign-on risk after barring self from own account | The Register

An issue where Trello user Shashank Tomar was locked out of his personal account because of a secondary email belonging to a company he left five years ago has drawn criticism from users.

The story goes like this. Tomar created his personal Trello account "long before Trello was acquired by Atlassian", as he told the Atlassian community board. The acquisition took place in 2017.

He did not use single sign-on (SSO); his login was simply username and password. Wanting to share some work with a colleague, Tomar added a secondary email to his Trello account so he could create Trello boards under that identity. "As soon as I left the company and my email was disabled, all the boards under that email disappeared from my account. This was expected," he said.

Five years on, "with tons of personal boards under this account, one morning it stopped working without any notification," he continued.

Tomar raised the issue with support and also on the Atlassian community forums. Calling Tomar's former company ACME for confidentiality reasons, Atlassian explained: "The ACME Trello Enterprise has enforced SSO, meaning any Trello user with one of their emails as a saved credential must log in with ACME SSO, even if the user also has a personal email address as a saved credential. The reason for this is because The Enterprise has claimed the ACME domain, and therefore, ownership of the Trello accounts containing their credentials, which is something Trello's terms allow Enterprises to do."

Atlassian refused to restore Tomar's account access without consent from ACME. However, the email address provided for ACME bounced. The best Atlassian can offer is to remove the personal email so that Tomar can open a new, empty Trello account. Further, all the boards in the existing account have been handed to ACME.

Tomar's problem was resolved, not by Atlassian, but because the Trello app on his phone was still logged in, seemingly a flaw in the security. "After a tedious work, I have moved my documents to another tool," he said.

Users are concerned. "Where in the Trello interface can I even check what other email addresses are associated with my account?" asked one. "The exact same thing happened to me," said another.

In a discussion on Hacker News, similar incidents cropped up regarding other companies. "I had this with Azure. My Microsoft account was tied to the AD of a previous customer. Can not access Azure dashboard or services at all," said a comment. "GitHub did this to me a few years ago. I still feel violated," said another.

Mixing personal and work accounts

Tomar cannot understand why Atlassian could not see the difference between his data and ACME's data. "A board is owned by the user. In my case, my boards are clearly created by email ending in and not," he said. He is understandably indignant that access to his personal data has been granted to a former company.

The issues here are fundamental. First, if you put data in a cloud service without a backup, you are trusting not only that the cloud service will preserve your data, but also that you will not get locked out, whether by mishap such as forgotten credentials, or some other issue. Second, individual users have limited recourse compared to large businesses, especially if using a free or low-end plan.

SSO is part of the problem because it puts multiple accounts under centralised control. Whenever you sign up for a service with Facebook, Google, or a company owned account such as Azure Active Directory, you are granting control over access to that company, whereas with a dedicated login for that service this is not the case. The oddity here is that Tomar signed up with a dedicated login, but this ended up being overridden by a retrospective SSO adoption by his former employer.

The obvious conclusion is: first, to back up data stored with external services, and second, never to mix personal and work accounts even in seemingly safe ways. As we become more dependent on cloud services, though, backup other than from one cloud to another becomes challenging.

We have asked Atlassian for comment and will update with any further information. ®

Sponsored: Webcast: Build the next generation of your business in the public cloud


No comments: