Misconfigured JIRA Servers Leak Info on Users and Projects
Misconfigured Jira servers from big names in the tech industry exposed information about internal projects and users that could be accessed by anyone with a good command of advanced search operators.
Jira is a popular solution for project management, developed by Atlassian for agile teams. It is used by Fortune 500 companies for easy tracking the progress of various tasks and issues.
Organizations like Google, Yahoo, NASA, Lenovo, 1Password, Zendesk, as well as governing bodies across the world left unprotected private details that could have jeopardized their developments.
Some entities continue to unwittingly expose to the public the names, roles, and email addresses of employees involved in various projects of the organization, along with the current stage and development of those activities.
Definitely a visibility problem
This information becomes public when a setting is used for controlling the visibility of filters and dashboards for projects on Jira servers, says Avinash Jain, the security engineer that discovered the problem.
Jain told BleepingComputer that when a new filter and dashboard is created in Jira Cloud, the default visibility setting is “all” and this is understood as ‘all within the organization’ but it refers to everyone on the internet.
Projects on Jira Cloud can be set up for anonymous access, which does not require a user to log in. One of the sharing options for filters and dashboards is called Public and comes with a warning:
“If a filter or dashboard is shared with Public, the name of the filter or dashboard will be visible to anonymous users.” Jira Cloud documentation.
A broader setting is from the Global Permissions menu, where the admin can choose “Anyone” from the drop-down list to grant access to users that are not logged in. This is not recommended for “systems that can be accessed from the public Internet such as Cloud.”
Jira has a user picker functionality that allows retrieving a complete list of usernames and email addresses on the misconfigured exposed servers.
Finding misconfigured servers
Using specific search operators (Google Dorks), Jain was able to identify the machines configured to allow access to information about users and related projects.
When BleepingComputer tried them we could easily find government domains that were affected as well as private companies and educational institutions.
Depending on the organization, these details are valuable for reconnaissance operations before planning an attack or for spying on the competition.
“Thousands of companies filters, dashboards and staff data were publicly exposed,” says the researcher.
“I have discovered several such misconfigured JIRA accounts in hundreds of companies. Some of the companies were from Alexa and Fortune top list including big giants like NASA, Google, Yahoo, etc and government sites.” – Avinash Jain
The researcher reported some of his findings to affected parties and was recognized for his role in improving their security protocols. One of the organizations is the United Nations; another recognition was for CODIX – a financial solution used by the European Union institutions and agencies.
Last year, Jain found and reported responsibly to NASA a misconfigured Jira server that exposed details (names and email addresses) of 1,000 users.