One-click account takeover vulnerabilities in Atlassian domains patched

guest · Jun 24, 2021

One-click account takeover vulnerabilities in Atlassian domains patched
Research was conducted in light of the increasing threat of supply-chain attacks.
June 24, 2021
https://www.zdnet.com/article/one-click-account-takeover-vulnerability-in-atlassian-patched/

Vulnerabilities that could allow XSS, CSRF, and one-click account takeovers in Atlassian subdomains have been patched.

On Thursday, Check Point Research (CPR) said that the bugs were found in the software solutions provider's online domains, used by thousands of enterprise clients worldwide.
Click to expand...

The vulnerabilities in question were found in a number of Atlassian-maintained websites, rather than on-prem or cloud-based Atlassian products.

Subdomains under atlassian.com, including partners, developer, support, Jira, Confluence, and training.atlassian.com were vulnerable to account takeover.
CPR explained that exploit code utilizing the vulnerabilities in the subdomains could be deployed through a victim clicking on a malicious link. A payload would then be sent on behalf of the victim and a user session would be stolen.
Click to expand...

Check Point Research: A supply-chain breach: Taking over an Atlassian account

Conclusion
By using the XSS with CSRF that we found on training.atlassian.com combined with the method of Cookie fixation we were able to take over any Atlassian account, in just one click, on every subdomain under atlassian.com that doesn’t use JWT for the session and that is vulnerable to session fixation . For example: training.atlassian.com, jira.atlassian.com, developer.atlassian.com and more.

Taking over an account in such a collaborative platform means an ability to take over data that is not meant for unauthorized view.
Click to expand...

Log in or Sign up

One-click account takeover vulnerabilities in Atlassian domains patched

guest Guest

Log in or Sign up

One-click account takeover vulnerabilities in Atlassian domains patched

guest Guest

Useful Searches