Slack is able to connect any user to a confluence page without even prompting anything.

Disclosed by
0Lucifer0
  • Engagement Atlassian
  • Disclosed date over 4 years ago
  • Priority Unassigned Bugcrowd's VRT priority rating
  • Status Not applicable This vulnerability does not apply to this program
Summary by 0Lucifer0

Atlassian SSO integration are not bound to any accounts. Atlassian will trust any of their SSO to always be a valid way to connect to any account.
Giving the right to all their SSO provider (Apple, Microsoft, Google and Slack) staff or anybody who would find a security issue on one of those provider to forge their access to any Atlassian page.

The likelihood of any of those companies forging their access to some other org Atlassian account is pretty low along side them being hacked. But in the case it would happen it would result in a total loss of confidentiality for all the Customers of Atlassian.

There also seems to be a failure to disclose the fact that Apple, Microsoft, Google & Slack have full access to every Atlassian accounts and no way to disable SSO...

Potential scenario:
1 - A company like Amazon have Atlassian setup
2 - One of the SSO provider is really interested in the data from this company in my example let's say Microsoft
3 - Staff at Microsoft create an account on their system jeff.bezos@amazon.com
4 - Staff at Microsoft connect to jeff bezos Atlassian account
5 - Staff at Microsoft is now able to access confidential data about Amazon and do Industrial espionage

Scenario that can be tested by a normal user to experience the issue:
1 - Create an Atlassian Account using email or any of the SSO providers.
2 - Ensure one of the SSO (Apple, Microsoft, Google, Slack) have an account using the same email and are not the one you created the account with at Step 1
3 - Use the SSO button with the SSO not linked to the account at Step 2.
4 - You are now logged in as User of Step 1.

If their was no security issue two events could happen:

  • The account would not be found as their is no account with that specific SSO
  • A brand new account would be created (that's what auth0 does for exemple)
Activity