cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

Atlassian Vulnerabilities

Hi All

 

According to this report there is a whole load of Atlassian products with security flaws, which are used in a lot of organisations these days.

 

https://cloudsek.com/security-flaw-in-atlassian-products-jira-confluencetrello-bitbucket-affecting-m...

 

Regards

 

Caute_Cautim

2 Replies
King69
Newcomer I

If you believe you have found a security issue that meets Atlassian’s definition of a vulnerability, please submit the report to our security team via one of the methods below: Only vulnerabilities submitted through our bug bounty program are eligible to receive a bounty payment. Please include the following information in your report: My HT Space

JoePete
Advocate I

At first blush, three observations:

  1. 30 day cookies - that leaves a pretty big window of opportunity that seems mostly driven by "user experience." I suspect the driver is integration with a mobile app. We're used to logging in/using password managers with a web browsers, but in thumb-click rush of the mobile experience, we demand more authentication persistence.
  2. Email addresses buried in the cookie - All a cookie should be is some random ID that can then be married to a database. There is no need to store such identifying data ... UNLESS you are trying to do tracking with partners or something similar.
  3. 2FA - No, it doesn't seem to be 2FA.  This seems to be shortcut authentication where if you have the token you don't have to use an additional means of authentication. 

Still, all of this seems more proof of concept (maybe I missed something), but seems like CloudSek hacked itself (using its own cookies). Fundamentally, the issue is is there anything in these Atlassian applications that give up their cookies? I don't see that reported (although, apparently Atlassian cookies can be found for sale) While it is true that if someone gets their hands on a device, they then can get access to someone's cookies, if they have that kind of access, they can also get at password managers and the like. It's kind of game-over at that point anyway. I don't know if this all warrants alarm, but there certainly seem to be teachable and fixable moments here.