Cybersecurity researchers have discovered a series of chained Atlassian vulnerabilities that could have allowed an attacker to take over an Atlassian account connected via SSO and control Atlassian applications.
According to Check Point Research (CPR), the researchers were able to use a combination of cross-site scripting (XSS), cross-site request forgery (CSRF) issues and a method of cookie fixation to take over any Atlassian account on every subdomain under atlassian.com in “just one click.”
In order to be successful, an attacker would take advantage of Atlassian apps and domains that don’t use JWT for the session and that is vulnerable to session fixation.
The CPR team discovered the vulnerabilities back on November 16, 2020 and responsibly disclosed them to Atlassian. The issues were then subsequently fixed by Atlassian.
Some of the affected Atlassian domains that were vulnerable to account takeover include:
- jira.atlassian.com
- confluence.atlassian.com
- getsupport.atlassian.com
- partners.atlassian.com
- developer.atlassian.com
- support.atlassian.com
- training.atlassian.com.
Chained vulnerabilities
The Check Point researchers found the first issue, a stored XSS vulnerability, on the training platform and subdomain training.atlassian.com.
“We noticed that the Content Security Policy (CSP) was configured poorly on this subdomain with ‘unsafe-inline’ and ‘unsafe-eval’ directives which allows script execution,” the CPR team explained in the blog post.
Once successful, the security experts were able to demonstrate how to make the user add a malicious item to the shopping cart without their notice.
“Because there is no CSRF token we could perform CSRF attack on the shopping list and execute our payload,” the team added.
Moreover, the CPR team described in detail how they analyzed single sign-on flows and bypassed SameSite “Strict” for CSRF and CSP with inline JavaScript. The researchers then leveraged cookie fixation to bypass the HTTPOnly and hijack the user’s Atlassian account.
Finally, the researchers provided a proof-of-concept video.
Related Articles
- SDK supply chain vulnerability exposes security cameras to hacking
- Hackers target Vietnam in supply chain cyberattack
- Microsoft and FireEye reveal new details on SolarWinds cyberattack
- CHIRP tool scans for signs of APT compromise associated with SolarWinds and Azure/M365 cyberattacks
- SAML vulnerabilities affect multiple SSO implementations
- How a University Fought Off an IoT Attack and 12 Lessons Learned
- SDK supply chain vulnerability exposes security cameras to hacking