Putting the ass in Atlassian: Helpdesk email server passwords blabbed to strangers Atlassian has warned users of its Jira Service Desk toolkit to change their helpdesk email account passwords – after a glitch caused the credentials to be sent to strangers' servers. Customers were today sent an advisory, seen by The Register, from Atlassian explaining that, due to a long-standing bug in its IT helpdesk …
"The vulnerability has been present since early 2017," Atlassian told its punters. "We first became aware of the issue on July 12, 2018 PST and took immediate action to investigate the matter, issuing a fix early on July 16, 2018 PST."
The way other completely annoying and apparently-not-hard to fix problems with tons of votes are being handled by Atlassian it amazes me that they got to it before 2025.
Unless the problem is "solved" by dropping the feature which is the root cause .... like recursive table in Confluence, ain't it, Atlassian?
I don't mean to single out Atlassian with this comment. Every company seems to do this, but it triggers me. It's this:
"At no point were the contents of your emails (or other data used by Jira Service Desk) exposed to other customers"
Or another way, sorry, we realised that, due to a bug, we occasionally sent some of our other customers your address and house keys, but at no point were the contents of your house exposed. We've known about this for two weeks. You should probably get new keys cut.
You cannot assert that negative. It is not knowable. I mean if your TV and jewellery turned up at said other customer's place, you could know that the keys were used. But absence of evidence isn't evidence of absence.
There's obviously a bunch of legalese in these sorts of customer communications, but sometimes I just wish that they would just explain what they know, what they don't know yet, and what is not knowable, alongside whatever action the customer can take to limit any potential harm.
Once the in-house shysters work over the release it is often nothing more the babble-speak shyster. They are trying not to admit any guilt or responsibility before getting hit with a lawsuit. But I doubt that will really work and just might really piss off someone into suing them because they came across as complete jackasses.
This brings up the second point: most email servers don't log passwords used in unsuccessful login attempts. There's little chance any of the credentials transmitted here were recorded, let alone harvested with the intent of being used by scumbags.
I don't know about anyone else, but I know that we log the invalid passwords here. It is helpful when analyzing which dictionaries the script kiddies are using. They get written to the log file in base64 format so they aren't clear text, but easily reversible.
However, I believe that they only get logged for accounts that actually exist on the server, so if the account or domain didn't exist the server (as they would not in this case) then no information other than the fact that a given IP tried to log into a given missing account would be logged. After so many attempts the IP is temporarily locked out, and if the account exists and the attack is coming from a botnet then the account gets temporarily locked as well.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
