One misconfiguration, hundreds of companies, thousands of dollars in bounties

Atlassian Confluence is a web-based software application that allows teams to collaborate and share knowledge in a centralized platform. It is used by thousands of organizations for creating, organizing, and sharing documents, meeting notes, project plans, and other types of content.

In this article, I will describe how a misconfiguration in Confluence Cloud caused (and is still causing) the exposure of internal and sensitive information of various organizations and companies. I will also be sharing the results of my research, which uncovered hundreds of companies with the same misconfiguration.

Within Confluence, content is organized into spaces. A space is a container for content and collaboration in Confluence. It’s a way to organize related pages, blogs, and other types of content into one location, making it easier to manage and navigate. This allows members to share information, track progress, collaborate on tasks, etc.

Since the information in such spaces can be confidential, each space has permissions which can be assigned and revoked for access control.

Here is where the misconfiguration exists.

For any space, by going to Space tools > Permissions > Edit Permissions you can choose to allow anonymous users access to the space. This is usually done in order to make the space public (for example, some companies create spaces with support articles which are meant to be available to everyone).

However, in some cases, spaces containing internal information are unintentionally set in such a way that they give anonymous users access to view or edit, making the information public.

The only thing an attacker needs to do is to visit this URL:

https://<companyname>.atlassian.net/wiki/spaces

If there are any spaces open to the public, they will be visible on the landing page.

After finding this misconfiguration on one target, I wanted to see just how many companies were affected by this misconfiguration. I created a script in order to automate this process. I also used a few Google dorks for the same:

site:"*.atlassian.net" inurl:"/wiki"

Most of the Google dorks yield false positives (spaces that are intended to be public), but there are a few results which are clearly not meant to be exposed to the public.

I combined all the data from my automation and then sifted through it manually.

The results? Hundreds of companies, from small businesses to MNCs and international organizations, exposing internal information such as:

• Passwords and working authentication tokens
• Ongoing project data (Project schedules, teams, links to other collaboration tools such as Miro and Figma)
• Employee PII (Names, email addresses, phone numbers)
• Meeting recordings, schedules and timetables
• Employee onboarding and hiring procedures
• Security incident reports
• Personal employee notes
• Detailed description of different protocols (i.e. procedures to be followed during security breaches, etc.)
• …

This misconfiguration was even present in some of the oldest public bug bounty programs on Hackerone, and numerous private programs across different platforms.

The results greatly varied. Some of the affected instances leaked information with minimal impact, while others contained access tokens and private keys for organization-wide services. One instance even gave me access to edit and create spaces, which could have caused huge problems if found by an attacker.

After checking if the spaces were not meant to be public, I reported as many findings as I could. Sadly, many organizations affected do not have a responsible disclosure program.

I also found this misconfiguration affecting organizations having public or private bug bounty programs. Most of these reports were acknowledged and fixed quickly.

The impact ranged from Low to Critical, based on the information being disclosed. Almost all the bug bounty programs I submitted this to were happy to provide a monetary reward, ranging from $250 to $3000 per report.

There are still hundreds of instances unknowingly being exposed to the public. Like Inti De Ceukelaire mentioned in his article about a similar vulnerability,

“Whether you offer rewards for security bugs or not, every company should have a policy and contact for individuals to report security vulnerabilities to them.”

Even something as simple as “security.txt” can help an organization uncover security vulnerabilities such as this misconfiguration.

A few points to be noted regarding this misconfiguration:

1. This is NOT a vulnerability in Atlassian Confluence, or in any other Atlassian product. This is a misconfiguration made by individual organizations using Confluence Cloud for internal operations.
2. In case you manage to find an instance containing public spaces, please check if it is within the scope of a program or not before reporting. Do not download or use any information found within the spaces.
3. Some Confluence spaces are actually meant to be public (ex. public documentation, customer support, etc.). Please do not report such instances.
4. In some cases, you might be able to escalate impact by using information found within the pages. Please take permission from the organization before attempting any such activity.
5. Please also check if the instance actually belongs to the company before reporting it as a vulnerability.

A simple misconfiguration like this can become a critical security vulnerability very quick, affecting other parts of an organization’s infrastructure. Hence, I believe that all companies should include all of their owned and managed assets in scope for responsible disclosure.

This is my first writeup, so any feedback is appreciated :)

I am also building an open, inclusive and beginner-friendly community for anyone with an interest in web security. If you are interested, here is the link to the Discord server: https://discord.gg/akuYpdFUEr.

You can also follow me on Linkedin, where I post some interesting stuff : https://www.linkedin.com/in/mopasha/

Please 👏 if you liked this article and let me know your thoughts in the comments!

Did you know, you can applaud up to 50 times for a single article on Medium? Try it out by pressing the 👏 button below if you like the article!

Thanks for reading!