Last week, Avinash Jain, a Lead Infrastructure Security Engineer at Grofers, reported that a misconfiguration in JIRA publicly exposed sensitive information about employees and projects of many big companies. These included organizations like NASA, Google, Yahoo, Zendesk, Lenovo, 1password, Informatica, as well as governing bodies across the world.
Earlier this year I wrote about "Exposed JIRA server leaks NASA staff and project data". While the leak was not limited to NASA, companies like Google, Yahoo, Western Union, Lenovo, 1Password,and many more suffered the same privacy mishap. Here's my blog-https://t.co/7onOvGL2by
— Avinash Jain (@logicbomb_1) August 2, 2019
What was the JIRA misconfiguration
JIRA is Atlassian’s proprietary product used for bug tracking, issue tracking, and agile project management. When you create a dashboard or filter in JIRA it will set their visibility to “Everyone” and “All users” by default. While these settings seem like you are giving access to everyone in the organization, they are instead shared publicly. JIRA also has a user picker functionality that provides a complete list of every user’s username and email address. This happens because of an authorization misconfiguration in Jira’s Global Permissions settings.
These misconfiguration issues in JIRA exposed internal user data including their names, emails, roles via JIRA groups, project details, upcoming milestones through JIRA dashboards/filters. An attacker with good knowledge of search queries just need to have access to find the link and they will have access to this information from anywhere.
Jain further explained that he found the link to these dashboards, user pickers, and filters with something called “Google dorks”. He just had to fire a search query in Google and the results showed links to all the companies that had the user picker functionality misconfigured:
Credits: Avinash Jain
Jain has already contacted the affected companies. “I reported this to various companies, some rewarded me, some fixed it while some are still living with it,” he wrote. It is, however, unclear whether he has reported this vulnerability to Atlassian as there is no reply from the JIRA creator yet.
What steps Atlassian and users can take to avoid this vulnerability
Jain and many other users also feel that JIRA’s UX is a little bit confusing. He urges Atlassian to be more explicit about what it means by “Everyone” and “All users” and also recommends it should set the visibility to “Private” by default.
Explaining the issue, a user on Hacker News said, “This issue arises because, if the site allows any public sharing, the “create filter” UI gives team members the option to share a new filter with “Everyone”, which sounds like an org-local scope but is in fact a public/non-logged-in scope. The org-level scope is called, “Open”, and is not part of this UI. Sigh.”
The Hacker News user further recommends, “To prevent this issue as a site admin on Jira cloud, go to: Jira Settings -> System -> General Configuration and disable “Allow users to share dashboards and filters with the public.” This doesn’t affect existing filters, which you have to manually fix. In true Jira fashion, if you try to reassign a filter after flipping this setting, it will deny the operation and ask you to edit the ACL, which there is no convenient admin UI to do.”
To know more, you can read Jain’s Medium post about the JIRA misconfiguration.