Atlassian has remedied a chain of vulnerabilities disclosed to the Australian collaborative software vendor, which could be used to take over accounts and control apps on its domains.
Security vendor Check Point Software were able to bypass protective measures for Atlassian’s Single Sign-On (SSO) system such as Content Security Policy in web browsers, and SameSite Strict and HTTPOnly marked cookies with access restrictions.
Check Point found that the training.atlassian.com subdomain’s CSP was configured poorly and allowed script execution.
By combining cross-site scripting and request forgery (XSS and CSRF) researchers were able to inject a malicious payload into the Atlassian training sites shopping cart which allowed them to perform actions as the target user.
To get the user’s session cookie, the Check Point researchers deployed a cookie fixation attack.
This forced the use of a cookie known to the attacker, and which became authenticated and in turn bypassed the HTTPOnly restriction and allowed the account hijacking.
From the Atlassian training site, the researchers were able to pivot to accounts on Jira, Confluence, and other subdomains operated by the Australian vendor.
The researchers were also able to use the hijacked Jira account to break into Bitbucket code repositories.
A supply-chain attack that accesses an organisation’s Bitbucket repository is particularly dangerous as it could lead to altered source code being implanted to disseminate malware or backdoors.