Check Point Research (CPR) has identified security vulnerabilities in Atlassian, a collaboration and production platform used by 180.000 customers worldwide.
With a single click, an attacker could have used these vulnerabilities to take over accounts and control some of Atlassian applications, including Jira and Confluence.
Jira is a leading software development tool that usesfrom more than 65.000 customers, including Visa, Cisco and Pfizer.
Confluence is a remote-friendly team workspace used by more than 60.000 customers, including LinkedIn, NASA and the New York Times.
Bitbucket is a Git-based source hosting service. All of these products can be used in a supply chain attack to target Atlassian partners and customers.
It's worth noting that the vulnerability affected several websites at Atlassian, which support its customers and partners. It does not affect Atlassian's cloud-based and on-premise products.
Withdrawal of Account
CPR has proven that debit was possible on Atlassian accounts, which are accessible through subdomains at atlassian.com. The vulnerable subdomains were:
jira.atlassian.com
confluence.atlassian.com
getsupport.atlassian.com
partners.atlassian.com
developer.atlassian.com
support.atlassian.com
training.atlassian.com
Security Gaps
Security vulnerabilities would allow an attacker to perform a number of potential malicious activities:
- Cross-Site Scripting (XSS) attacks: malicious scripts are inserted into websites and applications in order to execute them on the end-user device.
- Website Application Counterfeiting Attacks (CSRF): The attacker motivates users to perform actions that they do not intend to perform.
- Session manipulation attacks: the attacker steals the session connections between the client and the Web Server with the user's login.
In other words, an attacker could use the security vulnerabilities identified by CPR to gain control of the victim account, take action on their behalf, and gain access to Jira tickets. Additionally, an attacker could have edited a company's wiki's Confluence or viewed tickets on GetSupport.
The attacker could also go one step further and obtain personal information. All this could be achieved with a single click.
Attack Methodology
To take advantage of the security drawbacks, the sequence of actions of an intruder would be as follows:
- The attacker entices the victim to click on a fabricated link (coming from the "Atlassian" domain), either on Social Media, or with a fake email or messaging app, etc.
- By clicking on the link, the payload will send a request from the victim to the Atlassian platform, which will execute the attack and steal the user's login.
- The attacker connects to the victim's Atlassian applications associated with his account, obtaining all the sensitive information stored there.
Responsible information
CPR responsibly disclosed its findings to Atlassian on January 8, 2021. Atlassian stated that it made repairs on May 18, 2021.
Statement by Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software:
“Supply chain attacks have piqued our interest throughout the year, especially after the SolarWinds incident. Atlassian's platforms are central to an organization's workflow. An incredible amount of information about the chain supply ρέει μέσω αυτών των εφαρμογών, καθώς και η μηχανική και η διαχείριση έργων. Ως εκ τούτου, αρχίσαμε να θέτουμε ένα κάπως ανησυχητικό ερώτημα: ποιες πληροφορίες θα μπορούσε να πάρει ένας κακόβουλος χρήστης εάν αποκτούσε πρόσβαση σε έναν λογαριασμό Jira ή Confluence; Η περιέργειά μας, μας οδήγησε να εξετάσουμε την πλατφόρμα της Atlassian, όπου κα βρήκαμε κενά ασφαλείας. Σε έναν κόσμο όπου το εργατικό δυναμικό εξαρτάται όλο και περισσότερο από εξ'αποστάσεως τεχνολογίες, είναι επιτακτική ανάγκη να διασφαλιστεί ότι οι τεχνολογίες αυτές έχουν την καλύτερη άμυνα ενάντια στην εξαγωγή data. We hope our latest research will help organizations become more aware of supply chain attacks.”