Check Point Research (CPR) revealed critical vulnerabilities in the Atlassian project that allow attackers to take over control of accounts and Atlassian apps through single sign-on (SSO) capability.
Atlassian develops products for software developers, project managers, and other software-related teams that use the platform for data collaboration and information sharing.
Once the attacker leverages these vulnerabilities and takes over an account, he can plant backdoors that he can use in the future for his attack. This can create severe damage which will be identified and controlled only after much damage.
Atlassian uses SSO (Single Sign-On) to navigate between Atlassian products such as JIRA, Confluence, and Partners. It implements a variety of web security measures such as CSP, SameSite “Strict” cookies, and HttpOnly cookies.
Researchers used XSS and CSRF for injecting code into Atlassian and by combining the session fixation vulnerability in Atlassian domains, they were able to take over accounts.
CheckPoint Research explained that exploit code utilizing the vulnerabilities in the subdomains could be deployed through a victim clicking on a malicious link. A payload would then be sent on behalf of the victim and a user session would be stolen.
As a result of the analysis, the vulnerabilities found in the subdomains that include poorly-configured Content Security Policy (CSP), parameters vulnerable to XSS, SameSite and HTTPOnly mechanism bypass, and a weak spot that allowed cookie fixation, the option for attackers to force users to use session cookies known to them for authentication purposes.
In addition, the vulnerable domains also allowed threat actors to compromise sessions between the client and web server once a user logged into their account.
Researchers added saying “With just one click, an attacker could have used the flaws to take over accounts and control some of Atlassian’s applications, including Jira and Confluence”.
The outcome of these attacks may include account hijacking, data theft, actions being performed on behalf of a user, and obtaining access to Jira tickets.
CheckPoint researchers mention that taking over an account in such a collaborative platform means an ability to take over data that is not meant for unauthorized view.
Atlassian was informed of the team’s findings on January 8, before public disclosure. A fix for the impacted domains was deployed on May 18.