Atlassian security flaws could have allowed business app account takeover with one click

Flaws made it possible for an attacker to target Atlassian’s partners and customers

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Following last year’sSolarWinds hack, Check Point Research (CPR) decided to investigateAtlassianto see if its platform which is used by 180,000 customers worldwide could fall victim to a similar supply chain attack.

The cybersecurity firm was able to bypass Atlassian’s security measures and found security flaws in itscollaboration softwareanddeveloper tools.

According to a newblog postfrom CPR, an attacker could have exploited these flaws with just one click to gain access to the Atlassian Jira bug system and retrieve sensitive information on Atlassian cloud, Bitbucket and the company’s on-premises products.

For those unfamiliar, Jira is a software development tool used by over 65k customers including Visa, Cisco and Pfizer, Confluence is a team workspace used by over 60k customers including LinkedIn, NASA and the New York Times and Bitbucket is a Git-based source code repository hosting service. An attacker could potentially use all of these products in asupply chain attackto target both Atlassian’s partners and customers.

Head of products and vulnerabilities research at CPR, Oded Vanunu explained in a statement why the company’s security researchers decided to investigate Atlassian’s platform in the first place, saying:

“Supply chain attacks have been piqued our interest all year, ever since the SolarWinds incident. The platforms from Atlassian are central to an organisation’s workflow. An incredible amount of supply chain information flows through these applications, as well as engineering and project management. Hence, we began asking a somewhat provocative question: what information could a malicious user get if they accessed a Jira or a Confluence account? Our curiosity led us to review Atlassian’s platform, where we found security flaws. In a world where distributed workforces increasingly depend on remote technologies, it’s imperative to ensure these technologies have the best defenses against malicious data extraction. We hope our latest research will help organisations to raise the awareness on supply chain attacks.”

Account takeover

CPR noted in its report on the matter that the flaws it found affect several websites maintained by Atlassian that support customers and partners though the company’s cloud-based or on-prem products are not affected.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The cybersecurity firm was also able to prove thataccount takeoverwas possible for Atlassian accounts that are accessible by subdomains under its main website which include jira.atlassian.com, confluence.atlassian.com, getsupport.atlassian.com, partners.atlassian.com, developer.atlassian.com, support.atlassian.com and training.atlassian.com.

The security flaws in Atlassian’s platform could have enabled an attacker to perform cross-site-scripting (XSS) attacks, cross-site request forgery (CSRF) attacks and session fixation attacks. With just one click, an attacker could take over a victim’s Atlassian account, perform actions on behalf of them, gain access to Jira tickets, edit a company’s Confluence wiki or view tickets at GetSupport.

CPR responsibly disclosed the security flaws it discovered to Atlassian in the beginning of January and the company deployed a fix for them on May 18.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Australian Beach Volleyball Tour live stream: How to watch bronze and gold medal matches online for free, finals, start time