Check Point Research (CPR) has identified security vulnerabilities in Atlassian, a collaboration and production platform used by 180.000 customers worldwide.
With a single click, an attacker could have used these vulnerabilities to take over accounts and control some of Atlassian applications, including Jira and Confluence.
Jira is a leading software development tool used by more than 65.000 customers including Visa, Cisco and Pfizer.
Confluence is a remote-friendly team workspace used by more than 60.000 customers, including LinkedIn, NASA and the New York Times.
Bitbucket is a Git-based source code hosting service. All these products can be used in a supply chain attack to target Atlassian partners and customers.
It's worth noting that the vulnerability affected several websites at Atlassian, which support its customers and partners. It does not affect Atlassian's cloud-based and on-premise products.
Withdrawal of Account
CPR has proven that debit was possible on Atlassian accounts, which are accessible through subdomains at atlassian.com. The vulnerable subdomains were:
jira.atlassian.com
confluence.atlassian.com
getsupport.atlassian.com
partners.atlassian.com
developer.atlassian.com
support.atlassian.com
training.atlassian.com
Security Gaps
The security gaps would allow an attacker to perform a number of potentially malicious activities:
- Cross-Site Scripting (XSS) attacks: malicious scripts are inserted into websites and applications in order to execute them on the end-user device.
- Website Application Counterfeiting Attacks (CSRF): The attacker motivates users to perform actions that they do not intend to perform.
- Session Repair Attacks: The attacker steals the session between the client and the Web Server by connecting the user.
In other words, an attacker could use the security vulnerabilities identified by CPR to gain control of the victim account, take action on their behalf, and gain access to Jira tickets. Additionally, an attacker could have edited a company's wiki's Confluence or viewed tickets on GetSupport.
The attacker could also go one step further and obtain personal information. All this could be achieved with a single click.
Attack Methodology
To take advantage of the security drawbacks, the sequence of actions of an intruder would be as follows:
- The attacker entices the victim to click on a fabricated link (coming from the "Atlassian" domain), either on Social Media, or with a fake email or messaging app, etc.
- By clicking on the link, the payload will send a request from the victim to the Atlassian platform, which will execute the attack and steal the user's login.
- The attacker connects to the victim's Atlassian applications associated with his account, obtaining all the sensitive information stored there.
Responsible information
CPR responsibly disclosed its findings to Atlassian on January 8, 2021. Atlassian stated that it made repairs on May 18, 2021.
Statement by Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software:
“Supply chain attacks have piqued our interest throughout the year, especially after the SolarWinds incident. Atlassian's platforms are central to an organization's workflow. An incredible amount of supply chain information flows through these applications, as well as engineering and management projects. Therefore, we began to ask a somewhat troubling question: what information could a malicious user get if they gained access to a Jira or Confluence account? Our curiosity led us to examine the Atlassian platform, where we found security gaps. In a world where the workforce is increasingly dependent on remote technologies, it is imperative to ensure that these technologies have the best defenses against data mining. We hope our latest research will help organizations become more aware of supply chain attacks.”