Putting the ass in Atlassian: Helpdesk email server passwords blabbed to strangers

Logins misdirected to wrong boxes by Jira toolkit

Someone whispering a secret to another

Exclusive Atlassian has warned users of its Jira Service Desk toolkit to change their helpdesk email account passwords – after a glitch caused the credentials to be sent to strangers' servers.

Customers were today sent an advisory, seen by The Register, from Atlassian explaining that, due to a long-standing bug in its IT helpdesk software, those who opted to process their support queries via email had their email server usernames and passwords sent to other Atlassian customers' email servers. That would allow these strangers to obtain their credentials, if they were logging login attempts.

Here's how it worked in a nutshell: the email channel option lets organizations running Jira Service Desk receive support requests from their customers via email – such as via helpdesk@theregister.com – and these requests then show up on the Jira service desk web-based dashboard.

In order to do this, Jira needs to log into the organization's email server to access the helpdesk inbox – eg: it would connect to theregister.com's mail server and log into the helpdesk@ account. And in order to do this, Jira has to present to the email server the username and password for the account. Thanks to the bug, some of those login requests were sent to the wrong servers, pinging other Atlassian subscribers' servers and attempting to login. Thus, the credentials were leaked to third parties.

"The vulnerability has been present since early 2017," Atlassian told its punters. "We first became aware of the issue on July 12, 2018 PST and took immediate action to investigate the matter, issuing a fix early on July 16, 2018 PST."

Logger heads

While "credentials going to another server" is not something any admin wants to hear, there are a couple things to keep in mind that mitigate the damage here.

First, it wasn't just some random box on the internet that was getting the requests, Atlassian said. The bug only sent the credentials to other email servers. This brings up the second point: most email servers don't log passwords used in unsuccessful login attempts. There's little chance any of the credentials transmitted here were recorded, let alone harvested with the intent of being used by scumbags.

Still, Atlassian is advising customers who opted for the email feature to change the password they use for the email accounts connected to the service out of an abundance of caution. Doing so should eliminate any possible risk from the blunder, we're told. Atlassian is also directing any customers who have concerns about their account security to contact their support desk with the reference code HOT-84313.

A spokesperson for Atlassian told us: "We can confirm this email was sent to a small number of Jira Service Desk users that were affected by this issue. The bug has been fully diagnosed and fixed, and all customers that might have been affected have been contacted directly. If a user was not contacted, there is no need for them to take action."

Below is a copy of the full email sent out today. ®

Hello,

We have identified a security vulnerability in the functionality used by the e-mail channel feature in Jira Service Desk's cloud version. We want to make you aware so that you can take appropriate action on your end.

Due to a bug, our mail service occasionally sent the credentials you provided in your email channel configuration to the wrong mail server in an attempt to log in. At no point were the contents of your emails (or other data used by Jira Service Desk) exposed to other customers. Although it is unusual to configure a mail server to retain login credentials and, therefore, unlikely that the credentials were exposed, we recommend that you change the password of the email account configured in the email channel feature.

The vulnerability has been present since early 2017. We first became aware of the issue on July 12, 2018 PST and took immediate action to investigate the matter, issuing a fix early on July 16, 2018 PST. We are notifying you now after investigating and confirming you may have been affected. If you have any questions please feel free to raise a support request at https://support.atlassian.com/jiraservicedesk-cloud/ referencing HOT-84313.

Sincerely,
–The Jira Service Desk Team

Thanks to Reg reader Will Wilson for tipping us off. Have you clocked any other security cockups? Let us know – anonymity guaranteed if requested.




Biting the hand that feeds IT © 1998–2018