Skip to main content

Atlassian security flaws could have allowed business app account takeover with one click

Hacker Typing
(Image credit: Shutterstock)
Audio player loading…

Following last year's SolarWinds hack (opens in new tab), Check Point Research (CPR) decided to investigate Atlassian (opens in new tab) to see if its platform which is used by 180,000 customers worldwide could fall victim to a similar supply chain attack.

The cybersecurity firm was able to bypass Atlassian's security measures and found security flaws in its collaboration software (opens in new tab) and developer tools (opens in new tab).

According to a new blog post (opens in new tab) from CPR, an attacker could have exploited these flaws with just one click to gain access to the Atlassian Jira bug system and retrieve sensitive information on Atlassian cloud, Bitbucket and the company's on-premises products.

For those unfamiliar, Jira is a software development tool used by over 65k customers including Visa, Cisco and Pfizer, Confluence is a team workspace used by over 60k customers including LinkedIn, NASA and the New York Times and Bitbucket is a Git-based source code repository hosting service. An attacker could potentially use all of these products in a supply chain attack (opens in new tab) to target both Atlassian's partners and customers.

Head of products and vulnerabilities research at CPR, Oded Vanunu explained in a statement why the company's security researchers decided to investigate Atlassian's platform in the first place, saying:

“Supply chain attacks have been piqued our interest all year, ever since the SolarWinds incident. The platforms from Atlassian are central to an organisation’s workflow. An incredible amount of supply chain information flows through these applications, as well as engineering and project management. Hence, we began asking a somewhat provocative question: what information could a malicious user get if they accessed a Jira or a Confluence account? Our curiosity led us to review Atlassian’s platform, where we found security flaws. In a world where distributed workforces increasingly depend on remote technologies, it’s imperative to ensure these technologies have the best defenses against malicious data extraction. We hope our latest research will help organisations to raise the awareness on supply chain attacks.”

Account takeover

CPR noted in its report on the matter that the flaws it found affect several websites maintained by Atlassian that support customers and partners though the company's cloud-based or on-prem products are not affected.

The cybersecurity firm was also able to prove that account takeover (opens in new tab) was possible for Atlassian accounts that are accessible by subdomains under its main website which include jira.atlassian.com, confluence.atlassian.com, getsupport.atlassian.com, partners.atlassian.com, developer.atlassian.com, support.atlassian.com and training.atlassian.com.

The security flaws in Atlassian's platform could have enabled an attacker to perform cross-site-scripting (XSS (opens in new tab)) attacks, cross-site request forgery (CSRF (opens in new tab)) attacks and session fixation attacks. With just one click, an attacker could take over a victim's Atlassian account, perform actions on behalf of them, gain access to Jira tickets, edit a company's Confluence wiki or view tickets at GetSupport.

CPR responsibly disclosed the security flaws it discovered to Atlassian in the beginning of January and the company deployed a fix for them on May 18.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.