Atlassian app security flaws paved way for account takeovers
- 25 June, 2021 14:46
Security flaws within a number of Atlassian applications potentially allowed hackers to take over and control accounts in a bid to target partners and customers with just one click.
The attack chain, according to Check Point Research (CPR), the research team behind cyber security vendor Check Point Software Technologies, started with attackers getting users to click on a crafted link that supposedly came from the 'Atlassian' domain.
This included the subdomains jira.atlassian.com; confluence.atlassian.com; getsupport.atlassian.com; partners.atlassian.com; developer.atlassian.com; support.atlassian.com; and training.atlassian.com.
The link however would send a request from the victim to the Atlassian platform, which would initiate the attack and steal the user session.
Attacks that could have been executed include cross-site scripting attacks to inject malicious scripts from websites into devices, cross-site request forgery attacks to force users to perform actions and session fixation attacks to steal sessions between clients and web servers.
“In other words, an attacker could use the security flaws found by CPR to take control over a victim’s account, perform actions on behalf of him, and gain access to Jira tickets,” CPR claimed. “Furthermore, an attacker could have edited a company’s Confluence wiki or view tickets at GetSupport. The attacker could have gone on to gain personal information. All of this could be accomplished in just one click.”
It should be noted however the vulnerabilities did not affect Atlassian cloud-based or on-premises products — only several Atlassian-maintained websites that support partners and customers.
CPR disclosed the security flaws to Atlassian back in January of this year, with the software vendor deploying a fix in May.
Oded Vanunu, head of products vulnerabilities research at Check Point Software said Atlassian’s platforms can be considered central to an organisation’s workflow, which led Check Point to look into the security of the platform.
“An incredible amount of supply chain information flows through these applications, as well as engineering and project management. Hence, we began asking a somewhat provocative question: what information could a malicious user get if they accessed a Jira or a Confluence account?” he said.
“Our curiosity led us to review Atlassian’s platform, where we found security flaws. In a world where distributed workforces increasingly depend on remote technologies, it’s imperative to ensure these technologies have the best defences against malicious data extraction.”