Tag Archives: Exposed systems

Are Your Internal Systems Exposed?

Of course your first answer is no. Internal systems are only visible internally. But you made changes in a hurry to deal with Covid.

Here is the story of one researcher. He is the head of hackers at an ethical hacking firm, Intigriti.

Companies use software like JIRA and Asana to create tickets for all sorts of reasons. As these service desks have become publicly visible, it is likely that changes to the configurations were not made to protect that software appropriately.

Here is what the researcher did.

He started with 10,000 popular domain names.

1,972 had Atlassian instances associated with them.

288 were open to the public (this is an increase of 12% since the Covid crisis started.

He then signed up for accounts on these domains.

Sometimes he could access HR tickets, Office helpdesks, marketing, data science and other departments.

Sometimes it included requests to reset MFA or unlock an account.

About a third of the accounts he created allowed him to assign tickets to other people.

Okay, so this sounds like a problem. What did he/could he do?

MORE THAN 85% OF THE COMPANIES FOR WHICH HE WAS ABLE TO CREATE AN ACCOUNT DID NOT HAVE A WAY TO RESPONSIBLY REPORT THE VULNERABILITY.

Does your company have a way? That is easy to find?

The companies that did respond had a variety of responses from accepting to critical. He was offered rewards of from 50 Euros to $10,000.

Is this a bug in JIRA? No. No more so than you leaving your front door open when you go to work is a bug in the door.

Is this being exploited in the wild? Likely it is.

Is this limited to JIRA? Absolutely not. It could be an issue for any software that is exposed to the public Internet.

Could you be exposed? Do you have systems that are publicly visible? If so, then yes.

Does this affect cloud based systems? It is certainly possible. In this case, it was a cloud based system.

The only way to be sure is to inventory your systems and look at them one at a time. Start with the ones that house data that you would not want to be posted publicly. Credit: Medium