External access issues potentially aggravated by coronavirus crisis
UPDATED An alarming number of internal IT service desks are open to the public, potentially enabling attackers to impersonate employees and cause widespread damage to an organization’s infrastructure, a security researcher has found.
In an analysis of thousands of popular domains, Inti De Ceukelaire, head of hackers at bug bounty platform Intigriti, found that 15% of Atlassian Jira Service Desks were public-facing – a 12% increase on scans he’d undertaken before the Covid-19 crisis, dating back to summer 2019.
Just the ticket
With growing numbers of people working remotely during the coronavirus pandemic, the use of collaboration software is booming, as organizations scramble to get a handle on their workflow management.
However, some security professionals have sounded the alarm that many users are unprepared for the attendant security risks.
There is no question of Atlassian – which has a bug bounty program and “some excellent documentation” on Service Desk configuration – being at fault, De Ceukelaire acknowledged in a post published on Medium on April 2.
Rather, he found that many organizations were guilty of misconfiguring their Service Desk instances by allowing them to be accessed externally. This includes some customer-facing portals that had been repurposed for internal use.
Proof of concept
Developed by Atlassian (which also makes Trello collaboration software), Jira Service Desk is a popular IT service management platform and DevOps tool in which tickets are created to request changes, track bug fixes, or gain access to a particular service.
Of 10,000 popular domain names scanned globally, De Ceukelaire found that 288 of 1,972 Atlassian instances were public-facing.
The researcher found that attackers could readily login to many companies’ Atlassian instances and thus gain access to their support portals.
RELATED Intigriti: Meet the bug bounty platform putting community into crowdsourced security
In many cases, all they had to do was simply enter the company’s name into the default Atlassian login URL and extend the URL with /servicedesk/customer/user/login.
Once an attacker had accessed this “presumably authorised environment”, said De Ceukelaire, they were less likely to arouse suspicion.
The researcher noted that organizations with dispersed workforces – or those with newly-enshrined work-from-home policies due to the coronavirus outbreak – could no longer rely on verifying a request’s legitimacy face-to-face with colleagues.
Some service desks had also leaked customer email addresses in some configurations.
Advice to users
Speaking to The Daily Swig, De Ceukelaire has advised service desk software vendors to “keep an eye on user behavior patterns and how they change during a crisis, [and] try to inform their users about possible misconfigurations.”
Users, meanwhile, must “stay vigilant” about a ticket requestor’s identity, especially in remote work situations, the security pro warned.
Atlassian published tips for setting permission settings on its community site the day after the research was published (April 3).
“Jira Service Desk administrators have the option to set internal service desks as either public or private for only users they specify,” an Atlassian spokesperson told The Daily Swig.
“Our customers have varied use cases that may require them to set their service desks as public, i.e. to service requests from vendors, clients, or even customers where appropriate.
“We understand some users may have configured this setting differently from what was intended and we will be communicating with Jira Service Desk customers to remind them where they can find this privacy configuration.”
De Ceukelaire said he has disclosed service desk misconfigurations to 25 companies so far, with bug bounties subsequently awarded in the range of €50 to $10,000.
This article was updated with comments from Atlassian on April 4
READ MORE ServiceDesk Plus vulnerability could give attackers full access to IT support systems
