Check Point Research (CPR) has claimed to have discovered security flaws in Atlassian, a platform used by 180,000 customers worldwide to engineer software and manage projects. With just one click, an attacker could have used the flaws get access to the Atlassian Jira bug system and get sensitive information such as security issues on Atlassian cloud, Bitbucket and on premise products.
- CPR decided to investigate Atlassian, after growing curious about supply chain attacks since the SolarWinds incident
- CPR bypassed Atlassian’s security measures, proving that an attacker could have injected malicious code, performed actions on behalf of users, and hijacked user sessions
- CPR responsibly discloses research findings to Atlassian, who then deployed a fix
Jira is a leading software development tool used by over 65,000 customers, such as Visa, Cisco and Pfizer. Confluence is a remote-friendly team workspace used by over 60,000 customers, such as LinkedIn, NASA and the New York Times. Bitbucket is a Git-based source code repository hosting service. All these products can be used in a supply chain attack to target Atlassian partners and customers.
It should be noted the vulnerability affected several Atlassian-maintained websites, which support customers and partners. It does not affect Atlassian cloud-based or on-prem products.
Account Takeover
CPR proved that account take over was possible on Atlassian accounts accessible by subdomains under atlassian.com. The subdomains found vulnerable were:
- jira.atlassian.com
- confluence.atlassian.com
- getsupport.atlassian.com
- partners.atlassian.com
- developer.atlassian.com
- support.atlassian.com
- training.atlassian.com
Security Flaws
The security flaws would have enabled an attacker to execute a number of possible malicious activities:
- Cross-Site Scripting (XSS) attacks: malicious scripts are injected into websites and web applications for the purpose of running on the end user’s device.
- Cross-site request forgery (CSRF) attacks: attacker induces users to perform actions that they do not intend to perform.
- Session fixation attacks: attacker steals the established session between the client and the Web Server after the user logs in.
In other words, an attacker could use the security flaws found by CPR to take control over a victim’s account, perform actions on behalf of him, and gain access to Jira tickets. Furthermore, an attacker could have edited a company’s Confluence wiki, or view tickets at GetSupport. The attacker could have gone on to gain personal information. All of this could be accomplished in just one-click.
Attack Methodology
To exploit the security flaws, an attacker’s order of operations would have been:
- Attacker lures victim into clicking on a crafted link (coming from the “Atlassian” domain), either from social media, a fake email or messaging app etc.
- By clicking on the link, the payload would send a request on behalf of the victim to the Atlassian platform, which would perform the attack and steal the user session.
- Attacker logs onto victim’s Atlassian apps associated with the account, gaining all the sensitive information that is stored there
Responsible Disclosure
CPR responsibly disclosed its research findings to Atlassian on January 8, 2021. Atlassian said that a fix was deployed on May 18, 2021.
Ever since the SolarWinds incidents last year, supply chain attacks have been in the forefront of CPR researchers’ interest. Since the Atlassian platforms are central to so many organisations workflows, an incredible amount of supply chain information flows through these applications CPR researchers began asking themselves what information could a malicious user get if they accessed a Jira or a Confluence account. This curiosity led them to review Atlassian’s platform, where these security flaws were found. In a world where distributed workforces increasingly depend on remote technologies, it is imperative to ensure these technologies have the best defences against malicious data extraction.