Atlassian vulnerability allows account takeover

Sicherheit (Pexels, allgemeine Nutzung)[German]Security researchers from vendor Check Point have discovered a vulnerability in the Atlassian platform, which is popular with many companies. This vulnerability would have allowed attackers to access the Atlassian Jira Bug System, where information about security issues and other sensitive details can be found. In the wake of rising attacks against supply chains and the incidents surrounding the SolarWinds attack, Check Point has been looking more deeply into Atlassian.

Atlassian is a software solutions provider for software developers based in London with operational headquarters in Sydney. The Atlassian products and services (for example, Bamboo, Crucible, SourceTree, Bitbucket) are aimed at software developers. In addition, however, tools such as the wiki Confluence and the task management software Jira are also in their product range, which are aimed at a user group beyond software developers. Among other things, the company is also known for both focusing on agile software development and practicing it itself. Check Point says its Jira task management software is used by more than 180,000 customers worldwide.

However, analysis of the platform revealed alarming results: With just one click, an attacker could have exploited a vulnerability to gain access to the Atlassian Jira bug system. This would have made it possible to obtain sensitive information, such as logs of security issues with Atlassian Cloud, Bitbucket and On Premise products.

The vulnerability affects several Atlassian-maintained websites that support customers and partners. Cloud-based or on-premise Atlassian products are not affected. Check Point security researchers demonstrated that it was possible to take over Atlassian accounts accessible via subdomains at atlassian.com. The vulnerable subdomains are:

  • jira.atlassian.com
  • confluence.atlassian.com
  • getsupport.atlassian.com
  • partners.atlassian.com
  • entwickler.atlassian.de
  • support.atlassian.com
  • training.atlassian.com

The vulnerabilities would have allowed an attacker to perform a range of malicious activities:

  • Cross-site scripting (XSS) attacks: malicious scripts are injected into websites and web applications to execute on the end user's device.
  • Cross-site request forgery (CSRF) attacks: The attacker causes users to perform actions they do not intend. 
  • Session fixation attacks: The attacker takes over the established session between the client and the web server after the user logs in.

In other words, an attacker could use the vulnerabilities found by CPR to take control of an employee's account and perform actions on their behalf or gain access to Jira tickets. In addition, an attacker could have edited an organization's Confluence wiki or viewed tickets on GetSupport. Furthermore, the attacker would have been able to steal personal information. All of this could be achieved with just one click.

The attack method

To exploit the vulnerabilities, an attacker would have had to do the following:

  1. The attacker gets the victim to click on a manipulated link (originating from the domain "Atlassian") – either via social media, an email, or a messaging app.
  2. When the victim clicks on the link, the payload sends a request on behalf of the victim to the Atlassian platform, which executes the attack and takes over the user session.
  3. The attacker logs into the victim's Atlassian apps associated with the account and obtains any sensitive information stored there.

Check Point Research disclosed its research findings to Atlassian on Jan. 8, 2021. Atlassian stated that a fix was implemented on May 18, 2021. Check Point security researchers' full report on the vulnerability in Atlassian can be found  here.

This entry was posted in Security, Software. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *