Site icon Check Point Blog

Security Flaws in Atlassian’s Platform Led to Account Takeover in One Click

Check Point Research (CPR) finds security flaws in Atlassian, a platform used by 180,000 customers worldwide to engineer software and manage projects. With just one click, an attacker could have used the flaws get access to the Atlassian Jira bug system and get sensitive information such as security issues on Atlassian cloud, Bitbucket and on premise products.   

Check Point Research (CPR) identified security flaws on Atlassian, the team collaboration and productivity platform used by 180,000 customers worldwide.  With just one click, an attacker could have used the flaws to take over accounts and control some of Atlassian’s applications, including Jira and Confluence.

Jira is a leading software development tool used by over 65,000 customers, such as Visa, Cisco and Pfizer. Confluence is a remote-friendly team workspace used by over 60,000 customers, such as LinkedIn, NASA and the New York Times. Bitbucket is a Git-based source code repository hosting service. All these products can be used in a supply chain attack to target Atlassian partners and customers.

It should be noted the vulnerability affected several Atlassian-maintained websites, which support customers and partners. It does not affect Atlassian cloud-based or on-prem products.

Account Takeover

CPR proved that account take over was possible on Atlassian accounts accessible by subdomains under atlassian.com. The subdomains found vulnerable were:

Security Flaws

The security flaws would have enabled an attacker to execute a number of possible malicious activities:

In other words, an attacker could use the security flaws found by CPR to take control over a victim’s account, perform actions on behalf of him, and gain access to Jira tickets. Furthermore, an attacker could have edited a company’s Confluence wiki, or view tickets at GetSupport. The attacker could have gone on to gain personal information. All of this could be accomplished in just one-click.

Attack Methodology

To exploit the security flaws, an attacker’s order of operations would have been:

  1. Attacker lures victim into clicking on a crafted link (coming from the “Atlassian” domain), either from social media, a fake email or messaging app etc.
  2. By clicking on the link, the payload would send a request on behalf of the victim to the Atlassian platform, which would perform the attack and steal the user session.
  3. Attacker logs onto victim’s Atlassian apps associated with the account, gaining all the sensitive information that is stored there

Responsible Disclosure

CPR responsibly disclosed its research findings to Atlassian on January 8, 2021. Atlassian said that a fix was deployed on May 18, 2021.

Ever since the SolarWinds incidents last year, supply chain attacks have been in the forefront of CPR researchers’ interest. Since the Atlassian platforms are central to so many organizations workflows, an incredible amount of supply chain information flows through these applications CPR researchers began asking themselves what information could a malicious user get if they accessed a Jira or a Confluence account. This curiosity led them to review Atlassian’s platform, where these security flaws were found. In a world where distributed workforces increasingly depend on remote technologies, it is imperative to ensure these technologies have the best defenses against malicious data extraction.

For more information, please visit our technical blog here.

Exit mobile version