Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 5 Dec 2019 08:20:33 +0000 (UTC)
https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/

By Thomas Claburn in San Francisco
The Register
5 Dec 2019
Updated Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software.
The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.
Confluence connects to its companion app through the browser using the rather unwieldy domain: https://atlassian-domain-for-localhost-connections-only.com.
The problem with this arrangement is that anyone with sufficient technical knowledge could copy the SSL key and use it to conduct a man-in-the-middle attack that could allow an attacker to redirect app traffic to a malicious site. 

[...]



--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
Previous By Date Next
Previous By Thread Next

Current thread: