Information Security News mailing list archives
Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter
From: InfoSec News <alerts () infosecnews org>
Date: Thu, 5 Dec 2019 08:20:33 +0000 (UTC)
https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/ By Thomas Claburn in San Francisco The Register 5 Dec 2019Updated Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software.
The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.
Confluence connects to its companion app through the browser using the rather unwieldy domain: https://atlassian-domain-for-localhost-connections-only.com.
The problem with this arrangement is that anyone with sufficient technical knowledge could copy the SSL key and use it to conduct a man-in-the-middle attack that could allow an attacker to redirect app traffic to a malicious site.
[...] -- Subscribe to InfoSec News https://www.infosecnews.org/subscribe-to-infosec-news/ https://twitter.com/infosecnews_
Current thread:
- Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter InfoSec News (Dec 06)