Misconfigured JIRA servers Leak user and project information

Jira

Misconfigured Jira servers from major companies in the tech industry exposed information on internal projects and users which anyone with a good order from advanced search operators could access.

Jira is a popular project management solution for agile teams developed by Atlassian. Fortune 500 companies use it to easily track the progress of various tasks and problems.

Unprotected, private details were left to organizations such as Google, Yahoo, NASA, Lenovo, 1Password, Zendesk and governing bodies around the world, which could have put their developments at risk.

Certain entities continue to inform the public about the names, roles and e-mail addresses of staff involved in various projects, as well as the current phase and development of such activities.

Visibility problem

This information is made accessible when the visibility of filters and dashboards for projects on Jira servers is controlled by a setting, says Avinash Jain, the security engineer who discovers the problem.

Jain told that the default visibility setting in Jira Cloud is “all” when a new filter and dash board is created, and it is understood as “all within the organization,” but it applies to everyone on the Internet.

Jira Cloud projects can be set up for anonymous access without the need to login to a user. One of the filter and dashboard sharing options is called the public and comes with a warning:

“If a filter or dashboard is shared with Public, the name of the filter or dashboard will be visible to anonymous users.” Jira Cloud documentation.

A wider setting can be found in the Global Permit menu, where the admin can select “Anyone” from the download list to grant access to users who are not logged in. This is not advisable for “systems that can be accessed from the public Internet such as Cloud.”

Jira has a user picker functionality to retrieve a complete list of user names and email addresses from the exposed servers that are not configured.

Misconfigured Jira Servers

Jain was able to identify machines configured with specific search operators (Google Dorks) that enable access to information concerning users and related projects.

We could easily find government areas as well as private firms and educational institutions that were affected.

These details are, depending on the organization, valuable for recognition operations prior to planning or spying on a contest.

“Thousands of companies filters, dashboards and staff data were publicly exposed,” says the researcher.

“I have discovered several such misconfigured JIRA accounts in hundreds of companies. Some of the companies were from Alexa and Fortune top list including big giants like NASA, Google, Yahoo, etc and government sites.” – Avinash Jain

The researcher informed the affected parties of some of his findings and was recognized for his part in improving its security protocols. One organization is the United Nations; CODIX-a financial solution used by institutions and agencies of the European Union-was further acknowledged.

Last year, Jain discovered and reported a failed Jira server to NASA which revealed 1,000 users ‘ details (names and email addresses).

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.