According to a report, several misconfigured Jira servers have been found leaking information about internal projects and users belonging to Google and NASA. Read on to know more…
According to a report, several misconfigured Jira servers have been found leaking information about internal projects and users belonging to Google and NASA. Other organizations like Yahoo, Lenovo, 1Password, Zendesk as well as various governing bodies were also exposing sensitive data due to misconfigured Jira servers. The popular project management solution Jira, developed by Atlassian for agile teams, is used by Fortune 500 companies to track the progress of various projects and issues.
Discovered by a security engineer, Avinash Jain, the leak in Jira servers occurs whenever a new filter and dashboard are created in the Jira cloud, with the default visibility set to ‘all’. Here, the ‘all’ is understood as ‘all within the organization’ but it refers to everyone on the internet. “If a filter or dashboard is shared with Public, the name of the filter or dashboard will be visible to anonymous users, “Jira Cloud documentation.
However, the latest revelation shows that anyone with a good knowledge of advanced search operators can find sensitive information via misconfigured Jira servers. The leaked data includes names, roles, and email addresses of employees who are involved in various projects of an organization, along with the current state and development of those projects.
Bleeping Computer reported that Jain said “Thousands of companies filters, dashboards and staff data were publicly exposed,”. Jain added that “I have discovered several such misconfigured JIRA accounts in hundreds of companies. Some of the companies were from Alexa and Fortune top list including big giants like NASA, Google, Yahoo, etc and government sites,”
There is a provision in Jira Cloud where projects can be set up for anonymous access — meaning it does not require a user to log in. And a sharing option for filters and dashboards called “Public” comes with a disclaimer:
“If a filter or dashboard is shared with Public, the name of the filter or dashboard will be visible to anonymous users.”. Adding more to the problem is another setting in the Global Permissions menu where the admin can select “Anyone” option to give access to anonymous users.
For systems that can be accessed from the public internet, this option is not recommended because Jira has a picker functionality that would let a user with unrestricted access, retrieve a “complete list of usernames and email addresses on the misconfigured exposed servers.”
The researcher was able to identify the misconfigured Jira servers by using specific search operators. He found thousands of companies’ filters, dashboards, and staff data publicly exposed on the servers. Bleeping Computer was able to find several government domains along with private companies and educational institutions by exploiting the loophole. Based on the organization and value of the information, this loophole can be used for attack or corporate espionage.
Jain urges Atlassian to be more explicit about what it means by “Everyone” and “All users” and also recommends it should set the visibility to “Private” by default. Explaining the issue, a user on Hacker News said, “This issue arises because, if the site allows any public sharing, the “create filter” UI gives team members the option to share a new filter with “Everyone”, which sounds like an org-local scope but is in fact a public/non-logged-in scope. The org-level scope is called, “Open”, and is not part of this UI. Sigh.”