Researchers Detail Exploit Chain for Hijacking Atlassian Accounts


Researchers at cybersecurity firm Check Point discovered several vulnerabilities that could have been chained to take over Atlassian accounts or access a company’s Bitbucket-hosted source code. Atlassian patched the flaws before their details were made public.

The software development and collaboration tools made by Australia-based Atlassian are used by more than 150,000 organizations worldwide, which can make the company’s products a tempting target for malicious actors.

Check Point reported on Thursday that its researchers identified a series of vulnerabilities affecting several Atlassian applications connected through single sign-on (SSO). Impacted subdomains included jira.atlassian.com, confluence.atlassian.com, getsupport.atlassian.com, partners.atlassian.com, developer.atlassian.com, support.atlassian.com, and training.atlassian.com.

The exploit chain developed by the researchers involved cross-site scripting (XSS), cross-site request forgery (CSRF), bypassing SameSite protection, and bypassing HTTPOnly using cookie fixation.

In order to trigger the exploit chain and take control of an account, the attacker only needed to convince the targeted user to click on a malicious link.

Check Point researchers also showed how an attacker could have targeted Atlassian’s source code repository hosting service Bitbucket. An attacker who could trick a user into clicking on a malicious link could have stolen that user’s credentials.

“Accessing a company’s Bitbucket repositories could allow attackers to access and change source code, make it public or even plant backdoors,” the researchers warned.

Contacted by SecurityWeek, an Atlassian spokesperson said that based on the company’s investigation, the vulnerabilities impacted “a limited set of Atlassian-owned web applications as well as a third-party training platform.”

“Atlassian has shipped patches to address these issues and none of these vulnerabilities affected Atlassian Cloud (like Jira or Confluence Cloud) or on-premise products (like Jira Server or Confluence Server),” the company said.

Check Point has published a blog post detailing its findings, as well as a video showing the exploits in action.

Related: AESDDoS Botnet Targets Vulnerability in Atlassian’s Confluence Server

Related: Critical Vulnerability Addressed in Jira Service Desk

Related: JIRA Misconfiguration Leaks Data of Fortune 500 Companies

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:
Tags:



Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *