One-Click Exploit Could Have Let Attackers Hijack Any Atlassian Account

<div class="separator"><a href="https://thehackernews.com/images/-bf-nviQ7QOQ/YNRYyYeddxI/AAAAAAAAC-k/OjSyvfk4SV81J_vouujuRiwnUcsZCBTyQCLcBGAsYHQ/s0/Atlassian-hacking.jpg"></a></div> <p>Cybersecurity researchers on Wednesday disclosed critical flaws in the Atlassian project and software development platform that could be exploited to take over an account and control some of the apps connected through its single sign-on (<a href="https://en.wikipedia.org/wiki/Single_sign-on" rel="noopener" target="_blank">SSO</a>) capability.</p> <p>“With just one click, an attacker could have used the flaws to get access to Atlassian’s publish Jira system and get sensitive information, such as security issues on Atlassian cloud, Bitbucket and on premise products,” Check Point Research <a href="https://research.checkpoint.com/2021/a-supply-chain-breach-taking-over-an-atlassian-account/" rel="noopener" target="_blank">said</a> in an analysis shared with The Hacker News.</p> <div class="ad_two clear"><center class="cf"><a href="https://go.thn.li/1-free-300-8" rel="nofollow noopener sponsored" target="_blank" title="Stack Overflow Teams"><img alt="Stack Overflow Teams" class="lazyload" src="https://thehackernews.com/images/-UHcDw0TZuOc/YMt1nZpazaI/AAAAAAAA4Qs/d1jlOI8xheYWIFx_O8QJFzDxJI5tRuD7ACLcBGAsYHQ/s300-e100/free-ad-8-300.png"></a></center></div> <p>After the issues were reported to Atlassian on Jan. 8, 2021, the Australian company deployed a fix as part of its <a href="https://confluence.atlassian.com/jirasoftware/jira-software-release-notes-776821069.html" rel="noopener" target="_blank">updates</a> rolled out on <a href="https://confluence.atlassian.com/jirasoftware/jira-software-8-17-x-release-notes-1063559166.html" rel="noopener" target="_blank">May 18</a>. The sub-domains affected by the flaws include – </p> <ul> <li>jira.atlassian.com</li> <li>confluence.atlassian.com</li> <li>getsupport.atlassian.com</li> <li>partners.atlassian.com</li> <li>developer.atlassian.com</li> <li>support.atlassian.com</li> <li>training.atlassian.com</li> </ul> <p>Successful exploitation of these flaws could result in a supply-chain attack wherein an adversary can take over an account, using it to perform unauthorized actions on behalf of the victim, edit Confluence pages, access Jira tickets, and even inject malicious implants to stage further attacks down the line.</p> <div class="separator"><a href="https://thehackernews.com/images/-g7U6m8t1318/YNRWxFewI0I/AAAAAAAAC-c/vq5YhLgZ5TswFc2Mk6dDopm0b4UTiN02QCLcBGAsYHQ/s0/Atlassian-hacking.jpg"><img alt="Atlassian Hacking" border="0" data-original-height="326" data-original-width="728" src="https://thehackernews.com/images/-g7U6m8t1318/YNRWxFewI0I/AAAAAAAAC-c/vq5YhLgZ5TswFc2Mk6dDopm0b4UTiN02QCLcBGAsYHQ/s728-e1000/Atlassian-hacking.jpg" title="Atlassian Hacking"></a></div> <p>The weaknesses hinge on the fact that Atlassian uses SSO to ensure seamless navigation between the aforementioned domains, thus creating a potential attack scenario that involves injecting malicious code into the platform using <a href="https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/" rel="noopener" target="_blank">XSS</a> and <a href="https://www.imperva.com/learn/application-security/csrf-cross-site-request-forgery/" rel="noopener" target="_blank">CSRF</a>, followed by leveraging a <a href="https://owasp.org/www-community/attacks/Session_fixation" rel="noopener" target="_blank">session fixation</a> flaw to hijack a valid user session and take control of an account.</p> <p>In other words, an attacker can trick a user into clicking on a specially-crafted Atlassian link in order to execute a malicious payload that steals the user’s session, which can then be used by the bad actor to log in to the victim’s account and obtain sensitive information.</p> <div class="ad_two clear"><center class="cf"><a href="https://go.thn.li/ransomware_728" rel="nofollow noopener sponsored" target="_blank" title="Prevent Ransomware Attacks"><img alt="Prevent Ransomware Attacks" class="lazyload" src="https://thehackernews.com/images/-azy2o-jUy8I/YLy9OO3scVI/AAAAAAAA4BY/75hsq3eOBOQsJbLGxKzF4tx3ZGV010RVwCLcBGAsYHQ/s728-e100/ransomware_728.jpg"></a></center></div> <p>What’s more, armed with the Jira account, the attacker can proceed to gain control of a Bitbucket account by opening a Jira ticket embedded with a malicious link to a rogue website that, when clicked from an <a href="https://confluence.atlassian.com/adminjiraserver/configuring-email-notifications-938847633.html" rel="noopener" target="_blank">auto-generated email message</a>, could be used to pilfer the credentials, effectively granting them permissions to access or alter source code, make the repository public, or even insert backdoors.</p> <p>“Supply chain attacks have piqued our interest all year, ever since the <a href="https://thehackernews.com/2021/04/researchers-find-additional.html" rel="noopener" target="_blank">SolarWinds incident</a>. The platforms from Atlassian are central to an organization’s workflow,” said Oded Vanunu, head of products vulnerabilities research at Check Point. “An incredible amount of supply chain information flows through these applications, as well as engineering and project management.”</p> <p>“In a world where distributed workforces increasingly depend on remote technologies, it’s imperative to ensure these technologies have the best defenses against malicious data extraction,” Vanunu added.</p> <p></p> <p>The post <a rel="nofollow" href="https://patabook.com/technology/2021/06/25/one-click-exploit-could-have-let-attackers-hijack-any-atlassian-account/">One-Click Exploit Could Have Let Attackers Hijack Any Atlassian Account</a> appeared first on <a rel="nofollow" href="https://patabook.com/technology">Patabook Technology</a>.</p>

source https://patabook.com/blogs/99718/One-Click-Exploit-Could-Have-Let-Attackers-Hijack-Any-Atlassian