Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability #8

Closed
zhil opened this issue Apr 28, 2016 · 3 comments
Closed

Security vulnerability #8

zhil opened this issue Apr 28, 2016 · 3 comments

Comments

@zhil
Copy link
Contributor

zhil commented Apr 28, 2016

Dear Atlassian Connect vendor,

We've found a vulnerability in one or more of your add-ons, managed by the vendor at this email address. It lets an attacker overwrite the shared secret for an existing installation by crafting a malicious install callback. This will break the add-on on the targeted host product. It will also enable the attacker to sign JWTs with the new secret to authenticate with the add-on service and access protected data for that installation.

Fixing the vulnerability:

After a connect add-on is installed on a host product for the first time, the host will secure every subsequent install callback using a JSON Web Token (JWT) signed with the existing shared secret (not the new shared secret in the request body). The JWT will be included in the Authorization header like so: Authorization: JWT signed.base64-encoded-jwt.goes-here

To fix the vulnerability, make sure that:

Install callback requests for existing installations have the Authorization: header
The JWT in the header is signed with the existing shared secret from the previous registration.
The shared secret is updated to the new shared secret in the payload once the install callback has been verified (because the client will sign JWTs with the new secret from that point on).
You can test your fix using the attached python script (there are two versions: one for python 2.7 and one for python 3.5). The script attempts the shared secret overwrite against a specially-prepared test host, so will not affect your customers.

Thanks again for developing with Atlassian Connect, and please let us know if you have any questions.

Regards,

The Atlassian Connect Team

PS. Your add-on appeared not to be using the atlassian-connect-express framework. If it is using atlassian-connect-express, please simply update to version 1.0.9 of the library.

@zhil
Copy link
Contributor Author

zhil commented Apr 28, 2016

I have tested bundle using python 2.7.6 and this one script
https://gist.github.com/zhil/53d77f7c120b5ed4eef51ed5c8d2a363

It claims, that bundle is vulnerable.

@zhil
Copy link
Contributor Author

zhil commented Apr 28, 2016

@thecatontheflat

@zhil
Copy link
Contributor Author

zhil commented Apr 28, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant