IT administrators with applications from Atlassian — including Jira, Confluence, Trello and BitBucket — are being warned of a vulnerability in their session cookies.
The way to close this serious hole is to make sure users log out of Atlassian products regularly, rather than staying logged in for days at a time.
Session cookies, which are supposed to be temporary, contain some data that can help hackers. They are supposed to expire when a user logs out or closes their browser. However, researchers at CloudSEK of India say Atlassian cookies can persist for 30 days unless a user ends their session. Even if the user changes their password and multifactor authentication is enabled, the current cookie on that computer doesn’t expire. It will only expire if the user logs out.
This is important because session cookies are increasingly being stolen along with log information, and sold on the dark web.
UPDATE: In a statement Atlassian said its security team “is aware of this incident and we have followed security protocol to invalidate affected session tokens. Atlassian is conducting a comprehensive investigation, though our security team has not found evidence of a compromise within our systems or products. No customer action is required at this time. We will update our customers once our investigation concludes.”
CloudSEK says in the last 30 days more than 200 unique instances of atlassian.net-related credentials/ cookies have been put up for sale on dark web marketplaces. “Given that the credentials were put up for sale in the last 30 days, it is highly likely that many of them are still active,” the researchers said.
CloudSEK discovered the vulnerability when investigating the compromise of an employee’s Jira password by an attacker earlier this month. The attacker used a Jira session cookie from a stolen log, the company concluded.
CloudSEK says Atlassian has been told of the problem and is working to solve it.
The vulnerability is a known issue, the researchers add. But, they says, most companies worry more about closing other website vulnerabilities — like cross-site scripting — that allow attackers to get security tokens and session cookies.
“However,” say the researchers, “it is no longer very difficult for threat actors to get their hands on these tokens. With the rise in device compromise campaigns, breaches, and password leaks, cookie theft has become commonplace. And cookies are available for sale, and one can simply search for a company, buy their logs, and find relevant tokens to gain access to their internal systems.”
In the case of Atlassian products, says CloudSEK, only one JSON web token (JWT) is required to hijack a session (for example, cloud.session.token). Atlassian JWT (JSON Web Token) tokens have the email address embedded in the cookie. As a result, the researchers say, it is easy to determine which user the cookie belongs to.
To mitigate the vulnerability, CloukSEK advises IT and security administrators to:
- encourage employees to regularly log out of sensitive applications;
- set a shorter idle session for Atlassian products via the admin.atlassian.com under Security → Authentication policies section until a fix is released by Atlassian;
- implement idle-session timeout to enforce re-logins;
- monitor cyber crime forums for the latest tactics used by threat actors;
- check if your organization’s data is available for sale on dark web marketplaces.