How I accidentally hacked many companies using N/A vulnerability in Atlassian Cloud

11 min readNov 19, 2021

Below you will learn in detail about the discovered vulnerability that allowed me to get about 15000$ in bounty with all secrets from the Atlassian cloud. This story happened about a year ago. And I did not publish it immediately for ethical reasons.

It all started the day my friend and I decided to look for vulnerabilities of a company with a big scope at Hackerone. The company allows critical vulnerabilities outside of the scope. And the first thing that came to mind was to look for various leaks on Github. It didn’t take long for the results to come in. We stumbled upon the company’s employee work credentials. The credentials themselves were not very useful. After trying our fate on a few login forms, we realized that this could not be a critical vulnerability. Finally, my friend decided to check that login and password pair at atlassian.com. And there was an interesting result. He logged in, but after logging in he got a page asking him to confirm his account. Since we were not able to get access to the user’s email inbox to verify leaked account, we decided to give up. But at the end of the form with the proposal to confirm the account, my friend decided to click on the reconfirmation button.

A couple of weeks went by and we decided to try again to find working credentials from this company. We came across new logins and passwords. In the end, we didn’t even notice how we stumbled on the login and password we had found earlier. And oh my god — this time the login to Atlassian Cloud was successful. This story then worked with several other credentials that we hadn’t found before with no reconfirmation messages at all. And with no 2fa. These were clearly critical issues for the company. We sent reports and got a few triage and resolved states.

After a while, however, the company changed its position on the problem for other reports that were not triaged yet. Bug bounty policy was changed. And we were asked to make responsible disclosure reports to customers whose data were compromised.

How I accidentally hacked many companies using N/A vulnerability in Atlassian Cloud

Written by Valeriy Shevchenko

More from Valeriy Shevchenko

Jenkins RCE PoC or simple pre-auth remote code execution on the Server.

Once upon a time, a friend of mine asked me a question — "Do you know any fresh RCE for the Jenkins environment ?". I was informed already…

SSRF Vulnerability due to Sentry misconfiguration

That story happened when I saw that disclosed report.

BurpSuit + SqlMap = One Love

Sorry, but it's not hacking writeup. I am on a way to prepare it. Just need more time with this to not make harm many companies before they…

SSRF vulnerability via FFmpeg HLS processing

Once I performed pentest for one famous company. The object of testing was a platform for searching, licensing and managing music with…

Recommended from Medium

My AWS Pentest Methodology

Why write this?

Semi-Automating IDORs: A Practical Approach to Working Smarter, Not Harder

semi-automating idors for making extra $$$$

Lists

Best of The Writing Cooperative

Medium Publications Accepting Story Submissions

Staff Picks

How to Find First Bug (For Beginners)

As a beginner, you try to find bugs in many websites but still you got nothing. You got Demotivation during bug hunting ,Don’t worry when…

Host Header Injection lead to Hall of Fame

Intro : Hello Hackers! What’s Up. Welcome to my New Article. Here I will discuss about Host Header Injection that takes me to Hall of Fame…

How I got a $500 reward for finding an unacclaimed bucket on GitHub

I was researching bug bounty programs and my main focus was finding unacclaimed buckets, when I decided to search within the immunefi.com…

Privilege Escalation: Unauthorized Low-Privilege Users Creating Feature Bundles

Discover how low-privilege users are able to create feature bundles in Examtegg (an Private Program), bypassing system security, and get…