Check Point Research (CPR) has identified security vulnerabilities in Atlassian, a collaboration and production platform used by 180.000 customers worldwide.
With a single click, an attacker could have used these vulnerabilities to take over accounts and control some of Atlassian applications, including Jira and Confluence.
Jira is a leading software development tool used by more than 65.000 customers, including Visa, Cisco and Pfizer.
Confluence is a remote-friendly team workspace used by more than 60.000 customers, including LinkedIn, NASA and the New York Times.
Bitbucket is a Git-based source hosting service. All of these products can be used in a supply chain attack to target Atlassian partners and customers.
It is worth noting that the vulnerability has affected several sites in Atlassian, which support its clients and partners. It does not affect Atlassian cloud-based and individual products.
Withdrawal of Account
CPR has proven that debit was possible on Atlassian accounts, which are accessible through subdomains at atlassian.com. The vulnerable subdomains were:
Security vulnerabilities would allow an attacker to perform a number of potential malicious activities:
- Cross-Site Scripting (XSS) attacks: malicious scripts are inserted into websites and applications in order to execute them on the end-user device.
- Website Application Counterfeiting Attacks (CSRF): The attacker motivates users to perform actions that they do not intend to perform.
- Session Repair Attacks: The attacker steals the session between the client and the Web Server by connecting the user.
In other words, an attacker could use the security vulnerabilities identified by CPR to gain control of the victim account, take action on their behalf, and gain access to Jira tickets. Additionally, an attacker could have edited a company's wiki's Confluence or viewed tickets on GetSupport.
The attacker could also go one step further and obtain personal information. All this could be achieved with a single click.
To take advantage of the security drawbacks, the sequence of actions of an intruder would be as follows:
- The attacker entices the victim to click on a fabricated link (coming from the "Atlassian" domain), either on Social Media, or with a fake email or messaging app, etc.
- By clicking on the link, the payload will send a request from the victim to the Atlassian platform, which will execute the attack and steal the user's login.
- The attacker connects to the victim's Atlassian applications associated with his account, obtaining all the sensitive information stored there.
CPR responsibly disclosed its findings to Atlassian on January 8, 2021. Atlassian stated that it made repairs on May 18, 2021.
Statement by Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software:
"Supply chain attacks have been of interest throughout the year, especially after the SolarWinds incident. Atlassian platforms are key to an organization's workflow. An incredible amount of supply chain information flows through these applications, as well as engineering and project management. Therefore, we started to ask a somewhat worrying question: what information could a malicious user get if he gained access to a Jira or Confluence account? Our curiosity led us to look at the Atlassian platform, where we found security vulnerabilities. In a world where the workforce is increasingly dependent on remote technologies, there is an urgent need to ensure that these technologies have the best defense against data mining. We hope that our latest research will help organizations become more aware of supply chain attacks. ”