Security Flaws in Atlassian’s Platform Led to Account Takeover in One Click
June 2021 by Check Point Research Team
Check Point Research (CPR) finds security flaws in Atlassian, a platform used by 180,000 customers worldwide to engineer software and manage projects. With just one click, an attacker could have used the flaws to get access to the Atlassian Jira bug system and get sensitive information, such as security issues on Atlassian cloud, Bitbucket and on premise products.
– CPR decided to investigate Atlassian, after growing curious about supply chain attacks since the SolarWinds incident
– CPR bypassed Atlassian’s security measures, proving that an attacker could have injected malicious code, performed actions on behalf of users, and hijacked user sessions
– CPR responsibly disclosed research findings to Atlassian, who then deployed a fix
Check Point Research (CPR) identified security flaws on Atlassian, the team collaboration and productivity platform used by 180,000 customers worldwide. With just one click, an attacker could have used the flaws to take over accounts and control some of Atlassian’s applications, including Jira and Confluence.
Jira is a leading software development tool used by over 65,000 customers, such as Visa, Cisco and Pfizer. Confluence is a remote-friendly team workspace used by over 60,000 customers, such as LinkedIn, NASA and the New York Times. Bitbucket is a Git-based source code repository hosting service. All these products can be used in a supply chain attack to target Atlassian partners and customers.
It should be noted the vulnerability affected several Atlassian-maintained websites, which support customers and partners. It does not affect Atlassian cloud-based or on-prem products.
Account Takeover
CPR proved that account take over was possible on Atlassian accounts accessible by subdomains under atlassian.com. The subdomains found vulnerable were:
– jira.atlassian.com
– confluence.atlassian.com
– getsupport.atlassian.com
– partners.atlassian.com
– developer.atlassian.com
– support.atlassian.com
– training.atlassian.com
Security Flaws
The security flaws would have enabled an attacker to execute a number of possible malicious activities:
– Cross-Site Scripting (XSS) attacks: malicious scripts are injected into websites and web applications for the purpose of running on the end user’s device.
– Cross-site request forgery (CSRF) attacks: attacker induces users to perform actions that they do not intend to perform.
– Session fixation attacks: the attacker steals the established session between the client and the Web Server after the user logs in.
In other words, an attacker could use the security flaws found by CPR to take control over a victim’s account, perform actions on behalf of him, and gain access to Jira tickets. Furthermore, an attacker could have edited a company’s Confluence wiki, or view tickets at GetSupport. The attacker could have gone on to gain personal information. All of this could be accomplished in just one-click.
Attack Methodology
To exploit the security flaws, an attacker’s order of operations would have been:
Attacker lures victim into clicking on a crafted link (coming from the “Atlassian” domain), either from social media, a fake email or messaging app etc.
By clicking on the link, the payload will send a request on behalf of the victim to the Atlassian platform, which will perform the attack and steal the user session.
Attacker logs onto victim’s Atlassian apps associated with the account, gaining all the sensitive information that is stored there.
Responsible Disclosure
CPR responsibly disclosed its research findings to Atlassian on January 8, 2021. Atlassian said that a fix was deployed on May 18, 2021.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software:
“Supply chain attacks have piqued our interest all year, ever since the SolarWinds incident. The platforms from Atlassian are central to an organization’s workflow. An incredible amount of supply chain information flows through these applications, as well as engineering and project management. Hence, we began asking a somewhat provocative question: what information could a malicious user get if they accessed a Jira or a Confluence account? Our curiosity led us to review Atlassian’s platform, where we found security flaws. In a world where distributed workforces increasingly depend on remote technologies, it’s imperative to ensure these technologies have the best defenses against malicious data extraction. We hope our latest research will help organizations to raise the awareness on supply chain attacks.”