Atlassian Scrambles to Fix Zero-Day Security Hole Accidentally Disclosed on Twitter

upstart writes:

Submitted via IRC for Bytram

Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter

Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software.

The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.

Confluence connects to its companion app through the browser using the rather unwieldy domain: https://atlassian-domain-for-localhost-connections-only.com.

The problem with this arrangement is that anyone with sufficient technical knowledge could copy the SSL key and use it to conduct a man-in-the-middle attack that could allow an attacker to redirect app traffic to a malicious site.

Google security engineer Tavis Ormandy confirmed that anyone using the app could be subjected to such an attack.

Original Submission

Read more of this story at SoylentNews.