Following last year's SolarWinds hack (opens in new tab), Check Point Research (CPR) decided to investigate Atlassian (opens in new tab) to see if its platform which is used by 180,000 customers worldwide could fall victim to a similar supply chain attack.
According to a new blog post (opens in new tab) from CPR, an attacker could have exploited these flaws with just one click to gain access to the Atlassian Jira bug system and retrieve sensitive information on Atlassian cloud, Bitbucket and the company's on-premises products.
For those unfamiliar, Jira is a software development tool used by over 65k customers including Visa, Cisco and Pfizer, Confluence is a team workspace used by over 60k customers including LinkedIn, NASA and the New York Times and Bitbucket is a Git-based source code repository hosting service. An attacker could potentially use all of these products in a supply chain attack (opens in new tab) to target both Atlassian's partners and customers.
- We've built a list of the best endpoint protection software (opens in new tab) around
- These are the best firewall (opens in new tab) solutions on the market
- Also check out our roundup of the best identity theft protection (opens in new tab)
Head of products and vulnerabilities research at CPR, Oded Vanunu explained in a statement why the company's security researchers decided to investigate Atlassian's platform in the first place, saying:
“Supply chain attacks have been piqued our interest all year, ever since the SolarWinds incident. The platforms from Atlassian are central to an organisation’s workflow. An incredible amount of supply chain information flows through these applications, as well as engineering and project management. Hence, we began asking a somewhat provocative question: what information could a malicious user get if they accessed a Jira or a Confluence account? Our curiosity led us to review Atlassian’s platform, where we found security flaws. In a world where distributed workforces increasingly depend on remote technologies, it’s imperative to ensure these technologies have the best defenses against malicious data extraction. We hope our latest research will help organisations to raise the awareness on supply chain attacks.”
CPR noted in its report on the matter that the flaws it found affect several websites maintained by Atlassian that support customers and partners though the company's cloud-based or on-prem products are not affected.
The cybersecurity firm was also able to prove that account takeover (opens in new tab) was possible for Atlassian accounts that are accessible by subdomains under its main website which include jira.atlassian.com, confluence.atlassian.com, getsupport.atlassian.com, partners.atlassian.com, developer.atlassian.com, support.atlassian.com and training.atlassian.com.
The security flaws in Atlassian's platform could have enabled an attacker to perform cross-site-scripting (XSS (opens in new tab)) attacks, cross-site request forgery (CSRF (opens in new tab)) attacks and session fixation attacks. With just one click, an attacker could take over a victim's Atlassian account, perform actions on behalf of them, gain access to Jira tickets, edit a company's Confluence wiki or view tickets at GetSupport.
CPR responsibly disclosed the security flaws it discovered to Atlassian in the beginning of January and the company deployed a fix for them on May 18.
- We've also highlighted the best antivirus (opens in new tab)