Google, NASA and hundreds of Fortune 500 companies are leaking data via misconfigured JIRA servers
An India-based security engineer has discovered several misconfigured JIRA servers leaking information of users and internal projects belonging to Google, NASA, Yahoo, etc., which anyone with a good knowledge of advanced search operators could access, according to a report from Bleeping Computer.
JIRA is a proprietary issue tracking product developed by Atlassian that allows bug tracking and agile project management and is used by Fortune 500 companies.
Avinash Jain, the security researcher who discovered the problem, stated that the primary reason behind the leak was the wild misconfiguration which was present in JIRA.
In a report detailing his finding, Jain states that the misconfiguration vulnerability in JIRA servers lets anyone access the “internal user data, their name, email ids, their project details on which they were working, assignee of those projects and various other information.”
Lots of companies were from Alexa and Fortune top lists as well. The affected customers ranges from companies as big as NASA, Google, Yahoo to Go-Jek, HipChat, Zendesk, Sapient, Dubsmash, Western union, Lenovo, 1password, Informatica, etc and many sectors of various government around the world also suffered the same privacy issue like one of the portal of European government, United Nations, NASA, Brazilian government transport portal, Canadian government finance portal.
The misconfiguration issue occurs because of the wrong permission assigned to the filters and dashboards for the projects/issues that are created in JIRA. When new filters and dashboards for the projects/issues are created in JIRA, the visibility by default is set to “All users” and “Everyone” respectively, which is understood as ‘all within the organization’. However, it actually refers to everyone on the internet.
There is a provision for projects on JIRA Cloud, which can be set up for anonymous access, meaning it does not require a user to log in.
“Public” – one of the sharing options for filters and dashboards – comes with a disclaimer:
“If a filter or dashboard is shared with the Public, the name of the filter or dashboard will be visible to anonymous users.”
Further, another setting in the Global Permissions menu allows the admin to choose “Anyone” option to grant access to users that are not logged in. This is not recommended for “systems that can be accessed from the public Internet such as Cloud.”
JIRA has a user picker functionality that gives a complete list of every user’s username and email address on the misconfigured exposed servers. This leak is due to the authorization misconfiguration in Jira’s Global Permissions settings because of the wrong permissions scheme.
The misconfigured JIRA settings disclose the following sensitive details such as:
- all account’s employees’ names and emails,
- employees’ roles through JIRA groups,
- current projects, upcoming milestones through JIRA dashboards/filters.
“Anyone with the link can access them from anywhere and get hold of various sensitive information and because they are being indexed by all the search engines so anyone can easily find them with some simple search queries,” Jain said.
The researcher was able to identify the misconfigured JIRA servers that allow access to information about users and related projects by using specific search operators (Google Dorks).
When Bleeping Computer exploited the vulnerability, they were able to easily find government domains as well as private firms and educational institutions that were affected. The vulnerability can be used to plan an attack or for spying on the competitor.
“Thousands of companies filters, dashboards and staff data were publically exposed. It occurs because of the wrong permissions scheme set to filters and dashboards hence providing their access even to non-logged in users and hence leading to leaking of sensitive data. I have discovered several such misconfigured JIRA accounts in hundreds of companies. Some of the companies were from Alexa and Fortune top list including big giants like NASA, Google, Yahoo, etc and government sites.”
The researcher has reported the newly discovered leak to the affected companies. Last year, Jain had found a misconfigured JIRA server that exposed details (names and email addresses) of 1,000 users, which he reported responsibly to NASA and later fixed by them.