back to article Putting the ass in Atlassian: Helpdesk email server passwords blabbed to strangers

Atlassian has warned users of its Jira Service Desk toolkit to change their helpdesk email account passwords – after a glitch caused the credentials to be sent to strangers' servers. Customers were today sent an advisory, seen by The Register, from Atlassian explaining that, due to a long-standing bug in its IT helpdesk …

  1. Destroy All Monsters Silver badge
    Windows

    That was fast

    "The vulnerability has been present since early 2017," Atlassian told its punters. "We first became aware of the issue on July 12, 2018 PST and took immediate action to investigate the matter, issuing a fix early on July 16, 2018 PST."

    The way other completely annoying and apparently-not-hard to fix problems with tons of votes are being handled by Atlassian it amazes me that they got to it before 2025.

    Unless the problem is "solved" by dropping the feature which is the root cause .... like recursive table in Confluence, ain't it, Atlassian?

  2. Adam 1 Silver badge

    known unknowns

    I don't mean to single out Atlassian with this comment. Every company seems to do this, but it triggers me. It's this:

    "At no point were the contents of your emails (or other data used by Jira Service Desk) exposed to other customers"

    Or another way, sorry, we realised that, due to a bug, we occasionally sent some of our other customers your address and house keys, but at no point were the contents of your house exposed. We've known about this for two weeks. You should probably get new keys cut.

    You cannot assert that negative. It is not knowable. I mean if your TV and jewellery turned up at said other customer's place, you could know that the keys were used. But absence of evidence isn't evidence of absence.

    There's obviously a bunch of legalese in these sorts of customer communications, but sometimes I just wish that they would just explain what they know, what they don't know yet, and what is not knowable, alongside whatever action the customer can take to limit any potential harm.

    1. a_yank_lurker Silver badge

      Re: known unknowns

      Once the in-house shysters work over the release it is often nothing more the babble-speak shyster. They are trying not to admit any guilt or responsibility before getting hit with a lawsuit. But I doubt that will really work and just might really piss off someone into suing them because they came across as complete jackasses.

  3. tiggity Silver badge

    The joy of the cloud

    See title

    1. Archivist

      Re: The joy of the cloud

      Actually you can self host it if you choose, but then there are many free alternatives that you can host with a little effort.

  4. Robert Carnegie Silver badge

    After all, they didn't send your login and password across the internet to an unidentified stranger, in plaintebt... did they? Wait, that's a point. Did they? Do they still? (see "Iran", "BGP", this week.)

  5. Version 1.0 Silver badge

    Security?

    Yea, we've heard of it - the CEO's wife's going on a security course next week in the Bahamas.

    1. Robert Carnegie Silver badge

      Re: Security?

      Jamaica? (I know, sorry)

  6. Anonymous Coward
    Anonymous Coward

    Logging Invalid Passwords

    This brings up the second point: most email servers don't log passwords used in unsuccessful login attempts. There's little chance any of the credentials transmitted here were recorded, let alone harvested with the intent of being used by scumbags.

    I don't know about anyone else, but I know that we log the invalid passwords here. It is helpful when analyzing which dictionaries the script kiddies are using. They get written to the log file in base64 format so they aren't clear text, but easily reversible.

    However, I believe that they only get logged for accounts that actually exist on the server, so if the account or domain didn't exist the server (as they would not in this case) then no information other than the fact that a given IP tried to log into a given missing account would be logged. After so many attempts the IP is temporarily locked out, and if the account exists and the attack is coming from a botnet then the account gets temporarily locked as well.

    1. Version 1.0 Silver badge

      Re: Logging Invalid Passwords

      We killed the majority (about 90%) of our botnet login attempts by implementing a geo-location check when a login is attempted.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019