Atlassian admins warned of session cookie vulnerabilty

Share post:

IT administrators with applications from Atlassian — including Jira, Confluence, Trello and BitBucket — are being warned of a vulnerability in their session cookies.

The way to close this serious hole is to make sure users log out of Atlassian products regularly, rather than staying logged in for days at a time.

Session cookies, which are supposed to be temporary, contain some data that can help hackers. They are supposed to expire when a user logs out or closes their browser. However, researchers at CloudSEK of India say Atlassian cookies can persist for 30 days unless a user ends their session. Even if the user changes their password and multifactor authentication is enabled, the current cookie on that computer doesn’t expire. It will only expire if the user logs out.

This is important because session cookies are increasingly being stolen along with log information, and sold on the dark web.

CloudSEK says in the last 30 days more than 200 unique instances of atlassian.net-related credentials/ cookies have been put up for sale on dark web marketplaces. “Given that the credentials were put up for sale in the last 30 days, it is highly likely that many of them are still active,” the researchers said.

CloudSEK discovered the vulnerability when investigating the compromise of an employee’s Jira password by an attacker earlier this month. The attacker used a Jira session cookie from a stolen log, the company concluded.

CloudSEK says Atlassian has been told of the problem and is working to solve it.

The vulnerability is a known issue, the researchers add. But, they says, most companies worry more about closing other website vulnerabilities — like cross-site scripting — that allow attackers to get security tokens and session cookies.

“However,” say the researchers, “it is no longer very difficult for threat actors to get their hands on these tokens. With the rise in device compromise campaigns, breaches, and password leaks, cookie theft has become commonplace. And cookies are available for sale, and one can simply search for a company, buy their logs, and find relevant tokens to gain access to their internal systems.”

In the case of Atlassian products, says CloudSEK, only one JSON web token (JWT) is required to hijack a session (for example, cloud.session.token). Atlassian JWT (JSON Web Token) tokens have the email address embedded in the cookie. As a result, the researchers say, it is easy to determine which user the cookie belongs to.

To mitigate the vulnerability, CloukSEK advises IT and security administrators to:

  • encourage employees to regularly log out of sensitive applications;
  • set a shorter idle session for Atlassian products via the admin.atlassian.com under Security → Authentication policies section until a fix is released by Atlassian;
  • implement idle-session timeout to enforce re-logins;
  • monitor cyber crime forums for the latest tactics used by threat actors;
  • check if your organization’s data is available for sale on dark web marketplaces.

The post Atlassian admins warned of session cookie vulnerabilty first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Cyber Security Today, Week in Review for week ending Friday May 17, 2024

Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, May 17th,...

Cyber Security Today, May 17, 2024 – Malware hiding in Apache Tomcat servers

Malware hiding in Apache Tomcat servers, new backdoors found, and more Welcome to Cyber Security Today. It's Friday, May...

MIT students exploit blockchain vulnerability to steal 25 million dollars

Two MIT students have been implicated in a highly sophisticated cryptocurrency heist, where they reportedly exploited a vulnerability...

Cyber Security Today, May 15, 2024 – Ebury botnet still exploits Linux servers, Microsoft, SAP and Apple issue security updates

The Ebury botnet continues to exploit Linux servers, Microsoft, SAP and Apple issue security updates, and more. Welcome to...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways