Summary by Atlassian
Extracting private OAuth tokens and user data vulnerability in malicious reinstallation of JSM widget app
Malicious reinstallation of jsm widget app (installed by default in JSM) allows extracting private oauth tokens and user data
Disclosed by rjw- Engagement Atlassian
- Disclosed date over 1 year ago
- Reward $10,000
- Priority P1 Bugcrowd's VRT priority rating
- Status Resolved This vulnerability has been accepted and fixed
Summary by rjw
The JSM for cloud widget is implemented as an internal Atlassian connect app that was installed by default on Jira Service Management. Since it did not validate the qsh claim of JWT's on it's /installed endpoint, an attacker could take a JWT from the browser console and use it to create a fake installation request, changing the baseurl record inside the app.
This allowed the attacker to intercept requests intended to be sent back from the JSM widget app server to JSM cloud. This enabled the attacker to intercept sensitive information and credentials from the requests.
In my opinion, Atlassian did a great job of responding to this report and quickly implementing the fix in production. Additionally, they very quickly communicated this issue through the developer community.
See: https://community.developer.atlassian.com/t/action-required-atlassian-connect-vulnerability-allows-bypass-of-app-qsh-verification-via-context-jwts/47072/28 for more explanation on this issue.