Atlassian moves to lock down accounts from takeover bugs

Software development firm Atlassian has patched a series of vulnerabilities that could have potentially enabled account takeover.

Check Point Research was credited with the discovery and private report of the Atlassian flaws. According to Atlassian, a successful exploit would have enabled an attacker to obtain the single sign-on keys for multiple services, including Jira, Confluence and the Atlassian developer site.

The risk of account takeover is particularly bad in the context of Atlassian because the company's services are primarily used by enterprise developers and project managers. By hijacking an account, a bad actor could potentially insert malicious code, such as a backdoor, into a victim's projects and, in turn, get that backdoor access on every other project that depends on that code. In the wrong hands, this would be a serious supply chain breach.

"What makes a supply chain attack such as this one so significant is the fact that once the attacker leverages these vulnerabilities and takes over an account, he can plant backdoors that he can use in the future for his attack," the Check Point Research team noted in a report published Thursday. "This can create a severe damage which will be identified and controlled only much after the damage is done."

The vulnerabilities are not particularly high risk on their own. They include cross-site scripting (XSS), cross-site request forgery (CSRF), same site origin bypass and HttpOnly/cookie fixation error. All would be considered relatively low-severity bugs.

However, should an attacker chain the flaws together, they would be able to craft an HTTP request that would combine, for example, the cookie fixation and cross-site scripting flaws to trick the Atlassian sites into sending the attacker a session cookie for the victim.

Armed with that session cookie, the aggressor would then have access to not only the site they started from, but other Atlassian services that took advantage of the single sign-on setup.

The Check Point Research team demonstrated one possible attack scenario where an attacker would trick the target into clicking on a specially crafted link that would redirect to code targeting the chained flaws. With a single click, the researchers showed how the bugs would result in the attacker getting control over the victim's session.

"By using the XSS with CSRF that we found on training.atlassian.com combined with the method of Cookie fixation we were able to take over any Atlassian account, in just one click, on every subdomain under atlassian.com that doesn't use JWT [JSON web tokens] for the session and that is vulnerable to session fixation," the team wrote. "Taking over an account in such a collaborative platform means an ability to take over data that is not meant for unauthorized view."

While these flaws have since been locked down and should no longer pose a threat, Atlassian posted a set of recommendations for users and administrators to keep their accounts secure.

"Based on our investigation, the vulnerabilities outlined impact a limited set of Atlassian-owned web applications as well as a third-party training platform," Atlassian said in a statement. "Atlassian has shipped patches to address these issues and none of these vulnerabilities affected Atlassian Cloud (like Jira or Confluence Cloud) or on-premise products (like Jira Server or Confluence Server)."