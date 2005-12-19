from the and-so-it-goes dept.
Atlassian scrambles to fix zero-day security hole accidentally disclosed on Twitter
Twitter security celeb SwiftOnSecurity on Tuesday inadvertently disclosed a zero-day vulnerability affecting enterprise software biz Atlassian, a flaw that may be echoed in IBM's Aspera software.
The SwiftOnSecurity Twitter account revealed that Atlassian provided a domain that resolved to a local server with a common SSL certificate for its Confluence cloud service, to enable the Atlassian Companion app to edit files in a preferred local application and save the files back to Confluence.
Confluence connects to its companion app through the browser using the rather unwieldy domain: https://atlassian-domain-for-localhost-connections-only.com.
The problem with this arrangement is that anyone with sufficient technical knowledge could copy the SSL key and use it to conduct a man-in-the-middle attack that could allow an attacker to redirect app traffic to a malicious site.
Google security engineer Tavis Ormandy confirmed that anyone using the app could be subjected to such an attack.
(Score: 2) by canopic jug on Thursday December 05, @07:54AM
Twitter celebrity? Yes. Security celebrity? No.
As entertaining as that account can be on rare occasions, and this is one of those occasions, it is by and large just another M$ shill account. It appears to have no other purpose than trying to keep Windows users on the reservation, usually by denigrating better systems and flippant, fatalist remarks goading people along on the M$ treadmill.
