Following last year’s SolarWinds hack, Check Point Research (CPR) decided to investigate Atlassian to see if its platform which is used by 180,000 customers worldwide could fall victim to a similar supply chain attack.
The cybersecurity firm was able to bypass Atlassian’s security measures and found security flaws in its collaboration software and developer tools.
According to a new blog post from CPR, an attacker could have exploited these flaws with just one click to gain access to the Atlassian Jira bug system and retrieve sensitive information on Atlassian cloud, Bitbucket and the company’s on-premises products.
For those unfamiliar, Jira is a software development tool used by over 65k customers including Visa, Cisco and Pfizer, Confluence is a team workspace used by over 60k customers including LinkedIn, NASA and the New York Times and Bitbucket is a Git-based source code repository hosting service. An attacker could potentially use all of these products in a supply chain attack to target both Atlassian’s partners and customers.
Head of products and vulnerabilities research at CPR, Oded Vanunu explained in a statement why the company’s security researchers decided to investigate Atlassian’s platform in the first place, saying:
“Supply chain attacks have been piqued our interest all year, ever since the SolarWinds incident. The platforms from Atlassian are central to an organisation’s workflow. An incredible amount of supply chain information flows through these applications, as well as engineering and project management. Hence, we began asking a somewhat provocative question: what information could a malicious user get if they accessed a Jira or a Confluence account? Our curiosity led us to review Atlassian’s platform, where we found security flaws. In a world where distributed workforces increasingly depend on remote technologies, it’s imperative to ensure these technologies have the best defenses against malicious data extraction. We hope our latest research will help organisations to raise the awareness on supply chain attacks.”
Account takeover
CPR noted in its report on the matter that the flaws it found affect several websites maintained by Atlassian that support customers and partners though the company’s cloud-based or on-prem products are not affected.
The cybersecurity firm was also able to prove that account takeover was possible for Atlassian accounts that are accessible by subdomains under its main website which include jira.atlassian.com, confluence.atlassian.com, getsupport.atlassian.com, partners.atlassian.com, developer.atlassian.com, support.atlassian.com and training.atlassian.com.
The security flaws in Atlassian’s platform could have enabled an attacker to perform cross-site-scripting (XSS) attacks, cross-site request forgery (CSRF) attacks and session fixation attacks. With just one click, an attacker could take over a victim’s Atlassian account, perform actions on behalf of them, gain access to Jira tickets, edit a company’s Confluence wiki or view tickets at GetSupport.
CPR responsibly disclosed the security flaws it discovered to Atlassian in the beginning of January and the company deployed a fix for them on May 18.
