https://community.isc2.org/t5/Tech-Talk/Atlassian-Vulnerabilities/m-p/56133#M3783 <P>If you believe you have found a security issue that meets Atlassian’s definition of a vulnerability, please submit the report to our security team via one of the methods below: Only vulnerabilities submitted through our bug bounty program are eligible to receive a bounty payment. Please include the following information in your report:&nbsp;<A href="https://www.myhtspace.net/" target="_self"><FONT color="#FFFFFF">My HT Space</FONT></A></P> Fri, 23 Dec 2022 04:11:52 GMT King69 2022-12-23T04:11:52Z https://community.isc2.org/t5/Tech-Talk/Atlassian-Vulnerabilities/m-p/56027#M3758 <P>Hi All</P><P>&nbsp;</P><P>According to this report there is a whole load of Atlassian products with security flaws, which are used in a lot of organisations these days.</P><P>&nbsp;</P><P><A href="https://cloudsek.com/security-flaw-in-atlassian-products-jira-confluencetrello-bitbucket-affecting-multiple-companies/" target="_blank">https://cloudsek.com/security-flaw-in-atlassian-products-jira-confluencetrello-bitbucket-affecting-multiple-companies/</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_Cautim</P> Mon, 09 Oct 2023 10:23:45 GMT https://community.isc2.org/t5/Tech-Talk/Atlassian-Vulnerabilities/m-p/56027#M3758 Caute_cautim 2023-10-09T10:23:45Z https://community.isc2.org/t5/Tech-Talk/Atlassian-Vulnerabilities/m-p/56133#M3783 <P>If you believe you have found a security issue that meets Atlassian’s definition of a vulnerability, please submit the report to our security team via one of the methods below: Only vulnerabilities submitted through our bug bounty program are eligible to receive a bounty payment. Please include the following information in your report:&nbsp;<A href="https://www.myhtspace.net/" target="_self"><FONT color="#FFFFFF">My HT Space</FONT></A></P> Fri, 23 Dec 2022 04:11:52 GMT https://community.isc2.org/t5/Tech-Talk/Atlassian-Vulnerabilities/m-p/56133#M3783 King69 2022-12-23T04:11:52Z https://community.isc2.org/t5/Tech-Talk/Atlassian-Vulnerabilities/m-p/56144#M3785 <P>At first blush, three observations:</P><OL><LI>30 day cookies - that leaves a pretty big window of opportunity that seems mostly driven by "user experience." I suspect the driver is integration with a mobile app. We're used to logging in/using password managers with a web browsers, but in thumb-click rush of the mobile experience, we demand more authentication persistence.</LI><LI>Email addresses buried in the cookie - All a cookie should be is some random ID that can then be married to a database. There is no need to store such identifying data ... UNLESS you are trying to do tracking with partners or something similar.</LI><LI>2FA - No, it doesn't seem to be 2FA.&nbsp; This seems to be shortcut authentication where if you have the token you don't have to use an additional means of authentication.&nbsp;</LI></OL><P>Still, all of this seems more proof of concept (maybe I missed something), but seems like CloudSek hacked itself (using its own cookies). Fundamentally, the issue is is there anything in these Atlassian applications that give up their cookies? I don't see that reported (although, apparently Atlassian cookies can be found for sale) While it is true that if someone gets their hands on a device, they then can get access to someone's cookies, if they have that kind of access, they can also get at password managers and the like. It's kind of game-over at that point anyway. I don't know if this all warrants alarm, but there certainly seem to be teachable and fixable moments here.</P> Thu, 22 Dec 2022 14:22:49 GMT https://community.isc2.org/t5/Tech-Talk/Atlassian-Vulnerabilities/m-p/56144#M3785 JoePete 2022-12-22T14:22:49Z