Test Level Analysis (CPR) revealed vital vulnerabilities within the Atlassian challenge that permit attackers to take over management of accounts and Atlassian apps via single sign-on (SSO) functionality.
Atlassian develops merchandise for software program builders, challenge managers, and different software-related groups that use the platform for knowledge collaboration and data sharing.
As soon as the attacker leverages these vulnerabilities and takes over an account, he can plant backdoors that he can use sooner or later for his assault. This may create extreme harm which can be recognized and managed solely after a lot harm.
Atlassian makes use of SSO (Single Signal-On) to navigate between Atlassian merchandise akin to JIRA, Confluence, and Companions. It implements quite a lot of web security measures akin to CSP, SameSite “Strict” cookies, and HttpOnly cookies.
Researchers used XSS and CSRF for injecting code into Atlassian and by combining the session fixation vulnerability in Atlassian domains, they have been capable of take over accounts.
CheckPoint Analysis explained that exploit code using the vulnerabilities within the subdomains could possibly be deployed via a sufferer clicking on a malicious hyperlink. A payload would then be despatched on behalf of the sufferer and a consumer session could be stolen.
Because of the evaluation, the vulnerabilities discovered within the subdomains that embody poorly-configured Content material Safety Coverage (CSP), parameters susceptible to XSS, SameSite and HTTPOnly mechanism bypass, and a weak spot that allowed cookie fixation, the choice for attackers to drive customers to make use of session cookies recognized to them for authentication functions.
As well as, the susceptible domains additionally allowed menace actors to compromise periods between the consumer and internet server as soon as a consumer logged into their account.
Researchers added saying “With only one click on, an attacker may have used the failings to take over accounts and management a few of Atlassian’s functions, together with Jira and Confluence”.
The end result of those assaults could embody account hijacking, knowledge theft, actions being carried out on behalf of a consumer, and acquiring entry to Jira tickets.
CheckPoint researchers point out that taking up an account in such a collaborative platform means a capability to take over knowledge that’s not meant for unauthorized view.
Atlassian was knowledgeable of the workforce’s findings on January 8, earlier than public disclosure. A repair for the impacted domains was deployed on Might 18.