Search
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique











Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Security Flaws in Atlassian’s Platform Led to Account Takeover in One Click

June 2021 by Check Point Research Team

Check Point Research (CPR) finds security flaws in Atlassian, a platform used by 180,000 customers worldwide to engineer software and manage projects. With just one click, an attacker could have used the flaws to get access to the Atlassian Jira bug system and get sensitive information, such as security issues on Atlassian cloud, Bitbucket and on premise products.

- CPR decided to investigate Atlassian, after growing curious about supply chain attacks since the SolarWinds incident
- CPR bypassed Atlassian’s security measures, proving that an attacker could have injected malicious code, performed actions on behalf of users, and hijacked user sessions
- CPR responsibly disclosed research findings to Atlassian, who then deployed a fix

Check Point Research (CPR) identified security flaws on Atlassian, the team collaboration and productivity platform used by 180,000 customers worldwide. With just one click, an attacker could have used the flaws to take over accounts and control some of Atlassian’s applications, including Jira and Confluence.

Jira is a leading software development tool used by over 65,000 customers, such as Visa, Cisco and Pfizer. Confluence is a remote-friendly team workspace used by over 60,000 customers, such as LinkedIn, NASA and the New York Times. Bitbucket is a Git-based source code repository hosting service. All these products can be used in a supply chain attack to target Atlassian partners and customers.

It should be noted the vulnerability affected several Atlassian-maintained websites, which support customers and partners. It does not affect Atlassian cloud-based or on-prem products.

Account Takeover

CPR proved that account take over was possible on Atlassian accounts accessible by subdomains under atlassian.com. The subdomains found vulnerable were:
- jira.atlassian.com
- confluence.atlassian.com
- getsupport.atlassian.com
- partners.atlassian.com
- developer.atlassian.com
- support.atlassian.com
- training.atlassian.com

Security Flaws

The security flaws would have enabled an attacker to execute a number of possible malicious activities:
- Cross-Site Scripting (XSS) attacks: malicious scripts are injected into websites and web applications for the purpose of running on the end user’s device.
- Cross-site request forgery (CSRF) attacks: attacker induces users to perform actions that they do not intend to perform.
- Session fixation attacks: the attacker steals the established session between the client and the Web Server after the user logs in.

In other words, an attacker could use the security flaws found by CPR to take control over a victim’s account, perform actions on behalf of him, and gain access to Jira tickets. Furthermore, an attacker could have edited a company’s Confluence wiki, or view tickets at GetSupport. The attacker could have gone on to gain personal information. All of this could be accomplished in just one-click.

Attack Methodology

To exploit the security flaws, an attacker’s order of operations would have been:

Attacker lures victim into clicking on a crafted link (coming from the “Atlassian” domain), either from social media, a fake email or messaging app etc. By clicking on the link, the payload will send a request on behalf of the victim to the Atlassian platform, which will perform the attack and steal the user session. Attacker logs onto victim’s Atlassian apps associated with the account, gaining all the sensitive information that is stored there.

Responsible Disclosure

CPR responsibly disclosed its research findings to Atlassian on January 8, 2021. Atlassian said that a fix was deployed on May 18, 2021.

Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software:
“Supply chain attacks have piqued our interest all year, ever since the SolarWinds incident. The platforms from Atlassian are central to an organization’s workflow. An incredible amount of supply chain information flows through these applications, as well as engineering and project management. Hence, we began asking a somewhat provocative question: what information could a malicious user get if they accessed a Jira or a Confluence account? Our curiosity led us to review Atlassian’s platform, where we found security flaws. In a world where distributed workforces increasingly depend on remote technologies, it’s imperative to ensure these technologies have the best defenses against malicious data extraction. We hope our latest research will help organizations to raise the awareness on supply chain attacks.”




See previous articles

    

See next articles