Vulnerability chain allowed Atlassian account hijacks

By

Cookie fixation bypassed security measures.

Atlassian has remedied a chain of vulnerabilities disclosed to the Australian collaborative software vendor, which could be used to take over accounts and control apps on its domains.

Vulnerability chain allowed Atlassian account hijacks

Security vendor Check Point Software were able to bypass protective measures for Atlassian's Single Sign-On (SSO) system such as Content Security Policy in web browsers, and SameSite Strict and HTTPOnly marked cookies with access restrictions.

Check Point found that the training.atlassian.com subdomain's CSP was configured poorly and allowed script execution.

By combining cross-site scripting and request forgery (XSS and CSRF) researchers were able to inject a malicious payload into the Atlassian training sites shopping cart which allowed them to perform actions as the target user.

To get the user's session cookie, the Check Point researchers deployed a cookie fixation attack.

This forced the use of a cookie known to the attacker, and which became authenticated and in turn bypassed the HTTPOnly restriction and allowed the account hijacking.

From the Atlassian training site, the researchers were able to pivot to accounts on Jira, Confluence, and other subdomains operated by the Australian vendor.

The researchers were also able to use the hijacked Jira account to break into Bitbucket code repositories.

A supply-chain attack that accesses an organisation's Bitbucket repository is particularly dangerous as it could lead to altered source code being implanted to disseminate malware or backdoors.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Phishing attack nets enormous npm supply chain compromise

Phishing attack nets enormous npm supply chain compromise

Service NSW centralises security, networking in mammoth CloudOps overhaul

Service NSW centralises security, networking in mammoth CloudOps overhaul

VicRoads to phase out passwords in favour of passkeys

VicRoads to phase out passwords in favour of passkeys

Apple adds "mercenary spyware" protection to new A19 chip

Apple adds "mercenary spyware" protection to new A19 chip

Log In

  |  Forgot your password?