Attackers could have taken over an Atlassian account via one-click exploit

Attackers could have taken over an Atlassian account via one-click exploit

Cybersecurity researchers have discovered a series of chained Atlassian vulnerabilities that could have allowed an attacker to take over an Atlassian account connected via SSO and control Atlassian applications.

According to Check Point Research (CPR), the researchers were able to use a combination of cross-site scripting (XSS), cross-site request forgery (CSRF) issues and a method of cookie fixation to take over any Atlassian account on every subdomain under atlassian.com in “just one click.”

In order to be successful, an attacker would take advantage of Atlassian apps and domains that don’t use JWT for the session and that is vulnerable to session fixation.

The CPR team discovered the vulnerabilities back on November 16, 2020 and responsibly disclosed them to Atlassian. The issues were then subsequently fixed by Atlassian.

Some of the affected Atlassian domains that were vulnerable to account takeover include:

  • jira.atlassian.com
  • confluence.atlassian.com
  • getsupport.atlassian.com
  • partners.atlassian.com
  • developer.atlassian.com
  • support.atlassian.com
  • training.atlassian.com.

Chained vulnerabilities

The Check Point researchers found the first issue, a stored XSS vulnerability, on the training platform and subdomain training.atlassian.com.

“We noticed that the Content Security Policy (CSP) was configured poorly on this subdomain with ‘unsafe-inline’ and ‘unsafe-eval’ directives which allows script execution,” the CPR team explained in the blog post.

Once successful, the security experts were able to demonstrate how to make the user add a malicious item to the shopping cart without their notice.

“Because there is no CSRF token we could perform CSRF attack on the shopping list and execute our payload,” the team added.

Moreover, the CPR team described in detail how they analyzed single sign-on flows and bypassed SameSite “Strict” for CSRF and CSP with inline JavaScript. The researchers then leveraged cookie fixation to bypass the HTTPOnly and hijack the user’s Atlassian account.

Finally, the researchers provided a proof-of-concept video.

Related Articles

Tags: , , , , , , , ,