One-click account takeover vulnerabilities in Atlassian domains patched

Research was conducted in light of the increasing threat of supply-chain attacks.
Written by Charlie Osborne, Contributing Writer

Vulnerabilities that could allow XSS, CSRF, and one-click account takeovers in Atlassian subdomains have been patched. 

On Thursday, Check Point Research (CPR) said that the bugs were found in the software solutions provider's online domains, used by thousands of enterprise clients worldwide. 

The Australian vendor is the provider of tools including Jira, a project management system, and Confluence, a document collaboration platform for remote teams. 

The vulnerabilities in question were found in a number of Atlassian-maintained websites, rather than on-prem or cloud-based Atlassian products. 

Subdomains under atlassian.com, including partners, developer, support, Jira, Confluence, and training.atlassian.com were vulnerable to account takeover. 

CPR explained that exploit code utilizing the vulnerabilities in the subdomains could be deployed through a victim clicking on a malicious link. A payload would then be sent on behalf of the victim and a user session would be stolen. 

The vulnerable domain issues included a poorly-configured Content Security Policy (CSP), parameters vulnerable to XSS, SameSite and HTTPOnly mechanism bypass, and a weak spot that allowed cookie fixation -- the option for attackers to force users to use session cookies known to them for authentication purposes. 

The researchers say that it was possible to take over accounts accessible by these subdomains through cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. In addition, the vulnerable domains also allowed threat actors to compromise sessions between the client and web server once a user logged into their account.

"With just one click, an attacker could have used the flaws to take over accounts and control some of Atlassian's applications, including Jira and Confluence," the researchers said. 

The ramifications of these attacks included account hijacking, data theft, actions being performed on behalf of a user, and obtaining access to Jira tickets.

Atlassian was informed of the team's findings on January 8, prior to public disclosure. A fix for the impacted domains was deployed on May 18. 

Atlassian told ZDNet:

"Based on our investigation, the vulnerabilities outlined impact a limited set of Atlassian-owned web applications as well as a third-party training platform. Atlassian has shipped patches to address these issues and none of these vulnerabilities affected Atlassian Cloud (like Jira or Confluence Cloud) or on-premise products (like Jira Server or Confluence Server)."

The research into Atlassian was performed by CPR due to the ongoing issues surrounding supply chain attacks, in which threat actors will target a centralized resource used by other companies. 

If this element can be compromised -- such as by tampering with update code due to be pushed out to clients in the case of Codecov -- then a wider pool of potential victims can be reached with little effort. 

SolarWinds, too, is a prime example of how devastating a supply chain attack can be. Approximately 18,000 SolarWinds clients received a malicious SolarWinds Orion software update that planted a backdoor into their systems; however, the attackers cherry-picked a handful of victims for further compromise, including Microsoft, FireEye, and a number of federal agencies. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards