https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/
By Thomas Claburn in San Francisco
The Register
5 Dec 2019
Updated Twitter security celeb SwiftOnSecurity on Tuesday inadvertently
disclosed a zero-day vulnerability affecting enterprise software biz Atlassian,
a flaw that may be echoed in IBM's Aspera software.
The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain
that resolved to a local server with a common SSL certificate for its
Confluence cloud service, to enable the Atlassian Companion app to edit files
in a preferred local application and save the files back to Confluence.
Confluence connects to its companion app through the browser using the rather
unwieldy domain: https://atlassian-domain-for-localhost-connections-only.com.
The problem with this arrangement is that anyone with sufficient technical
knowledge could copy the SSL key and use it to conduct a man-in-the-middle
attack that could allow an attacker to redirect app traffic to a malicious
site.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
