Atlassian Domain Flaws Could Have Led to Data Leakage and Account Control with Just One-click Exploit
A Research Conducted by Security Analysts Indicated Some Atlassian Domain Flaws That Could Have Led to Account Full Takeover.
The Check Point Research Team (CPR) has recently conducted an investigation as they suspected some Atlassian domain flaws. In a communication from Thursday, they revealed precarious system features in the Atlassian project, because of their use of SSO (Single Sign-On) for their accounts and applications. By reason of these vulnerabilities, threat actors could easily access systems, obtain confidential information and steal users’ sessions. All these could have led to a supply chain attack, and since Atlassian websites are used by most enterprises, this would mean severe damage.
What Does a Supply Chain Attack Mean?
A supply chain attack is also called a value chain attack or a third-party attack. It is named like that, because, instead of targeting the main organization, it tracks the third-party companies that are part of the mother company that most probably won’t have the same security protection and serve as the weak spots. Since this cyberattack targets suppliers of an organization, hackers could implant a backdoor into products, gaining this way indirectly unauthorized access to the focus company.
Atlassian Domain Flaws Lead to Platform Being Tested
Thus, the researchers’ team put the Atlassian domain flaws to test to confirm its predisposition to cyberattacks. Atlassian is basically a software-providing company, project managers, and software developers benefiting from its products. The most known products are Jira, a management tool that helps teams on topics related to software development, test case management, and requirements and Confluence, that also helps teams work together: task assigning, calendar management, etc.
The CPR Team followed the below steps and simulated an attack:
- They managed to bypass Atlassian security measures such as HttpOnly cookies, CSP, and SameSite “Strict” cookies.
- The first step was to inject a code into the software company website – this can be done by XSS and CSRF.
- XSS (Cross Site Scripting): because of the unsafe Content Security Policy on training.atlassian.com, researchers were allowed to inject client-side script and get local storage and cookies of the user through a simple payload.
- CSRF (Cross-site request forgery): an unwanted action is carried out unintentionally by the user, in this case, the researchers made the user add a malicious item to their cart.
- By injecting the code using XSS and CSRF a new session cookie in the user’s account could have been created that led to taking over Atlassian accounts.
What Domains Were the Most Exposed?
As TheHackersNews reports, the main exposed subdomains were: training.atlassian.com, partners.atlassian.com, confluence.atlassian.com, jira.atlassian.com, developer.atlassian.com, getsupport.atlassian.com and support.atlassian.com.
What Can A Hacker Get Access to?
Simply put, the Atlassian Domain Flaws could determine a threat actor to send a malicious link to a user and when clicking and executing the payload, the hacker gains access to the credential and can take over the account. Some other consequences would be:
- Access to Jira tickets
- Data stealing
- Account hijacking
- Data leakage
- Actions on behalf of the user
What Measures Were Implemented?
The team of researchers informed the company about these Atlassian domain flaws on the 8th of January 2021 and then the enterprise made some updates on the 18th of May. An Atlassian representative stated in a communication sent to ThreatPost:
Based on our investigation, the vulnerabilities outlined impact a limited set of Atlassian-owned web applications as well as a third-party training platform. Atlassian has shipped patches to address these issues and none of these vulnerabilities affected Atlassian Cloud (like Jira or Confluence Cloud) or on-premise products (like Jira Server or Confluence Server).