Hardcoded password in Confluence app has been leaked on Twitter:
What's worse than a widely used Internet-connected enterprise app with a hardcoded password? Try said enterprise app after the hardcoded password has been leaked to the world.
Atlassian on Wednesday revealed three critical product vulnerabilities, including CVE-2022-26138 stemming from a hardcoded password in Questions for Confluence, an app that allows users to quickly receive support for common questions involving Atlassian products. The company warned the passcode was "trivial to obtain."
The company said that Questions for Confluence had 8,055 installations at the time of publication. When installed, the app creates a Confluence user account named disabledsystemuser, which is intended to help admins move data between the app and the Confluence Cloud service. The hardcoded password protecting this account allows for viewing and editing of all non-restricted pages within Confluence.
"A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to," the company said. "It is important to remediate this vulnerability on affected systems immediately."
A day later, Atlassian was back to report that "an external party has discovered and publicly disclosed the hardcoded password on Twitter," leading the company to ratchet up its warnings.
"This issue is likely to be exploited in the wild now that the hardcoded password is publicly known," the updated advisory read. "This vulnerability should be remediated on affected systems immediately."
The company warned that even when Confluence installations don't actively have the app installed, they may still be vulnerable. Uninstalling the app doesn't automatically remediate the vulnerability because the disabledsystemuser account can still reside on the system.
To figure out if a system is vulnerable, Atlassian advised Confluence users to search for accounts with the following information:
- User: disabledsystemuser
- Username: disabledsystemuser
- Email: dontdeletethisuser@email.com
Atlassian provided more instructions for locating such accounts here. The vulnerability affects Questions for Confluence versions 2.7.x and 3.0.x. Atlassian provided two ways for customers to fix the issue: disable or remove the "disabledsystemuser" account. The company has also published this list of answers to frequently asked questions.
(Score: 4, Insightful) by bradley13 on Monday July 25 2022, @10:26AM (1 child)
As if a hard-coded login isn't stupid enough: They didn't even own the email address associated with the login.
Whoever put this login into the code, or knew about it, deserves to be fired. Whatever QA process they have, that this managed to pass, needs replaced. The managers associated with the development, and with the QA, also need to find new opportunities elsewhere - all the way to the top.
Seriously, who does this? This is the kind of mistake you expect from some "coding camp" graduate who is working with no supervision.
Everyone is somebody else's weirdo.
(Score: 2) by ls671 on Monday July 25 2022, @11:48AM
Indeed, sorry about that! I am going to remove it. I am going to make a text search and make sure it isn't in the code anymore!
What was that password already?
Everything I write is lies, read between the lines.
(Score: 4, Interesting) by SomeGuy on Monday July 25 2022, @11:59AM
"app that allows users to quickly receive support for common questions involving Atlassian products."
So, putting it on the web where users could easily search for it is just to hard and requires a platform specific "app"?
Right, let me guess, collects geolocation data? More advertising? Alerts out the yingyang?
"Don't forget to download our FREE you-tracker weather app/malware to get instant news and weather alerts! You need alerts! Really! And buy more smartphones! Because we love selling smartphones!"