Check Point Research (CPR) identified the security gaps in Atlassian, a platform collaboration and production used by 180.000 customers worldwide.
With a single click, an attacker could have used these vulnerabilities to take over accounts and control some of Atlassian applications, including Jira and Confluence.
Jira is a leading software development tool used by more than 65.000 customers, including Visa, Cisco and Pfizer.
Confluence is a remote-friendly team workspace used by more than 60.000 customers, including LinkedIn, NASA and the New York Times.
Bitbucket is a Git-based source hosting service. All of these products can be used in a supply chain attack to target Atlassian partners and customers.
It's worth noting that the vulnerability affected several websites at Atlassian, which support its customers and partners. It does not affect Atlassian's cloud-based and on-premise products.
Withdrawal of Account
CPR demonstrated that account withdrawal was possible on Atlassian accounts, which are accessible via subdomains at atlassian.com. The vulnerable subdomains were:
jira.atlassian.com
confluence.atlassian.com
getsupport.atlassian.com
partners.atlassian.com
developer.atlassian.com
support.atlassian.com
training.atlassian.com
Security Gaps
Security vulnerabilities would allow an attacker to perform a number of potential malicious activities:
- Cross-Site Scripting (XSS) attacks: malicious scripts are inserted into websites and applications in order to execute them on the end-user device.
- Website Application Counterfeiting Attacks (CSRF): The attacker motivates users to perform actions that they do not intend to perform.
- Session Repair Attacks: The attacker steals the session between the client and the Web Server by connecting the user.
In other words, an attacker could use the security vulnerabilities identified by CPR to gain control of the victim account, take action on their behalf, and gain access to Jira tickets. Additionally, an attacker could have edited a company's wiki's Confluence or viewed tickets on GetSupport.
Ο εισβολέας θα μπορούσε επίσης να πάει ένα βήμα παραπέρα και να αποκτήσει προσωπικές πληροφορίες. Όλα αυτά θα μπορούσαν να επehυχθούν με ένα μόνο κλικ.
Attack Methodology
To take advantage of the security drawbacks, the sequence of actions of an intruder would be as follows:
- The attacker entices the victim to click on a fabricated link (coming from the "Atlassian" domain), either on Social Media, or with a fake email or messaging app, etc.
- By clicking on the link, the payload will send a request from the victim to the Atlassian platform, which will execute the attack and steal the user's login.
- The attacker connects to the victim's Atlassian applications associated with his account, obtaining all the sensitive information stored there.
Responsible information
CPR responsibly disclosed its findings to Atlassian on January 8, 2021. Atlassian stated that it made repairs on May 18, 2021.
Statement by Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software:
“Οι επιθέσεις supply chain έχουν κινήσει το ενδιαφέρον μας καθ' όλη τη διάρκεια της χρονιάς, ειδικά μετά το περιστατικό της SolarWinds. Οι πλατφόρμες της Atlassian είναι βασικές για τη ροή των εργασιών ενός οργανισμού. Ένα απίστευτο ποσοστό πληροφοριών για την αλυσίδα εφοδιασμού ρέει μέσω αυτών των εφαρμογών, καθώς και η engineering και η διαχείριση έργων. Ως εκ τούτου, αρχίσαμε να θέτουμε ένα κάπως ανησυχητικό ερώτημα: ποιες πληροφορίες θα μπορούσε να πάρει ένας κακόβουλος χρήστης εάν αποκτούσε πρόσβαση σε έναν λογαριασμό Jira ή Confluence; Η περιέργειά μας, μας οδήγησε να εξετάσουμε την πλατφόρμα της Atlassian, όπου κα βρήκαμε κενά ασφαλείας. Σε έναν κόσμο όπου το εργατικό δυναμικό εξαρτάται όλο και περισσότερο από εξ'αποστάσεως τεχνολογίες, είναι επιτακτική ανάγκη να διασφαλιστεί ότι οι τεχνολογίες αυτές έχουν την καλύτερη άμυνα ενάντια στην export data. We hope our latest research will help organizations become more aware of supply chain attacks.”
