Security researchers have warned of a critical flaw in the Atlassian project and software program improvement system that hackers can use to just take in excess of an account and management some of the apps related via its one sign-on (SSO) capacity.
According to Test Place Exploration (CPR), hackers could exploit the flaw to entry Atlassian’s Jira, a bug-tracking and agile project-administration resource utilized by around 65,000 customers, which include Cisco, Pfizer, and Visa.
The flaw focuses on Atlassian’s use of SSO to assure steady navigation in between subdomains for relevant merchandise, these as Jira (jira.atlassian.com) and Confluence (confluence.atlassian.com). This makes a potential attack state of affairs involving injecting destructive code into the system, then leveraging a session fixation flaw to hijack a legitimate person session and take management of an account.
Scientists proved that account takeover was feasible on Atlassian accounts available by subdomains underneath atlassian.com.
To exploit the flaw, hackers would have to entice a victim into clicking on a crafted hyperlink coming from the “Atlassian” domain by using social media, a bogus email, or a messaging app, and so on. By clicking on the backlink, the payload would mail a request on the victim’s behalf to the Atlassian platform, which would accomplish the attack and steal the consumer session. Then the hacker logs on to the victim’s Atlassian apps linked with the account, attaining all the delicate facts saved there.
“What will make a provide chain attack this sort of as this one so sizeable is the truth that at the time the attacker leverages these vulnerabilities and can take about an account, he can plant backdoors that he can use in the long run for his attack. This can build significant harm which will be discovered and controlled only substantially right after the destruction is carried out,” said researchers.
Lewis Jones, threat intelligence analyst at Talion, explained to ITPro that effectively exploiting these flaws could final result in a provide-chain attack whereby an attacker can acquire above an account, use it to execute unauthorized actions, this kind of as edit Confluence web pages, accessibility Jira tickets, and even inject malicious implants to stage further attacks down the line.
“Furthermore, if an attacker gains access to a Jira account, the attacker can proceed to acquire handle of a Bitbucket account which could guide to an attacker becoming in a position to pilfer credentials. This could grant them permissions to obtain or change source code, make the repository general public, or even insert backdoors,” he mentioned.
“Whilst information have not long ago emerged, a take care of for the flaw was produced in May perhaps. Users are advised to be certain that updates are executed as soon as probable, and to go on monitoring for any additional developments.”
CPR disclosed its investigate conclusions to Atlassian on January 8, and Atlassian deployed a repair on May possibly 18.
Some components of this report are sourced from: