Atlassian products were vulnerable to a hack that could have seen attackers gain access to user accounts, cybersecurity analysts found.
Researchers from security firm Check Point discovered a set of flaws which, if exploited, would have enabled bad actors to take over the accounts of Atlassian products like Jira and Bitbucket.
The researchers found the training.atlassian.com subdomain had ‘unsafe-inline’ and ‘unsafe-eval’ directives turned on in the site’s content security policy (CSP), an HTTP header used to improve site security.
Having those two directives turned on allows for other scripts to be executed in page requests and was the Check Point researchers’ entry point into Atlassian’s user account security.
In a blog post, Check Point outlined how it could control a user’s account from an Atlassian-maintained training store by performing a ‘cookie fixation’ attack.
This involved forcing the company’s single sign-on protocol to a redirect function that tricks it into using an authentication cookie included in the web request, rather than the original legitimate one.
By using a similar process, the researchers were also able to create a cookie authentication payload that would work on the user’s Jira account.
From there, it was a matter of pushing Jira tickets riddled with malicious links and the attackers could have to more Atlassian tools like Bitbucket.
“What makes a supply chain attack such as this one so significant is the fact that once the attacker leverages these vulnerabilities and takes over an account, he can plant backdoors that he can use in the future for his attack,” Check Point said.
“This can create a severe damage which will be identified and controlled only much after the damage is done.”
Atlassian, which runs a bug bounty program that averages payouts of around US$1,200, said it has fixed the issues.
“Based on our investigation, the vulnerabilities outlined impact a limited set of Atlassian-owned web applications as well as a third-party training platform,” a spokesperson said.
“Atlassian has shipped patches to address these issues and none of these vulnerabilities affected Atlassian Cloud (like Jira or Confluence Cloud) or on-premise products (like Jira Server or Confluence Server).”
Crucially, the attack depends on an Atlassian user clicking on a malicious link – first to give the attackers a foothold to their account, then again for further access – once again showing how important phishing is for bad actors.
In its recent latest Data Breach Investigations Report, Verizon noted 36% of data breaches involved phishing.