Cybersecurity researchers on Wednesday disclosed critical flaws in the Atlassian project and software development platform that could be exploited to take over an account and control some of the apps connected through its single sign-on (SSO) capability.
"With just one click, an attacker could have used the flaws to get access to Atlassian's publish Jira system and get sensitive information, such as security issues on Atlassian cloud, Bitbucket and on premise products," Check Point Research said in an analysis shared with The Hacker News.
After the issues were reported to Atlassian on Jan. 8, 2021, the Australian company deployed a fix as part of its updates rolled out on May 18. The sub-domains affected by the flaws include -
- jira.atlassian.com
- confluence.atlassian.com
- getsupport.atlassian.com
- partners.atlassian.com
- developer.atlassian.com
- support.atlassian.com
- training.atlassian.com
Successful exploitation of these flaws could result in a supply-chain attack wherein an adversary can take over an account, using it to perform unauthorized actions on behalf of the victim, edit Confluence pages, access Jira tickets, and even inject malicious implants to stage further attacks down the line.
The weaknesses hinge on the fact that Atlassian uses SSO to ensure seamless navigation between the aforementioned domains, thus creating a potential attack scenario that involves injecting malicious code into the platform using XSS and CSRF, followed by leveraging a session fixation flaw to hijack a valid user session and take control of an account.
In other words, an attacker can trick a user into clicking on a specially-crafted Atlassian link in order to execute a malicious payload that steals the user's session, which can then be used by the bad actor to log in to the victim's account and obtain sensitive information.
What's more, armed with the Jira account, the attacker can proceed to gain control of a Bitbucket account by opening a Jira ticket embedded with a malicious link to a rogue website that, when clicked from an auto-generated email message, could be used to pilfer the credentials, effectively granting them permissions to access or alter source code, make a repository public, or even insert backdoors.
"Supply chain attacks have piqued our interest all year, ever since the SolarWinds incident. The platforms from Atlassian are central to an organization's workflow," said Oded Vanunu, head of products vulnerabilities research at Check Point. "An incredible amount of supply chain information flows through these applications, as well as engineering and project management."
"In a world where distributed workforces increasingly depend on remote technologies, it's imperative to ensure these technologies have the best defenses against malicious data extraction," Vanunu added.