How I accidentally hacked many companies using N/A vulnerability in Atlassian Cloud
Below you will learn in detail about the discovered vulnerability that allowed me to get about 15000$ in bounty with all secrets from the Atlassian cloud. This story happened about a year ago. And I did not publish it immediately for ethical reasons.
It all started the day my friend and I decided to look for vulnerabilities of a company with a big scope at Hackerone. The company allows critical vulnerabilities outside of the scope. And the first thing that came to mind was to look for various leaks on Github. It didn’t take long for the results to come in. We stumbled upon the company’s employee work credentials. The credentials themselves were not very useful. After trying our fate on a few login forms, we realized that this could not be a critical vulnerability. Finally, my friend decided to check that login and password pair at atlassian.com. And there was an interesting result. He logged in, but after logging in he got a page asking him to confirm his account. Since we were not able to get access to the user’s email inbox to verify leaked account, we decided to give up. But at the end of the form with the proposal to confirm the account, my friend decided to click on the reconfirmation button.
A couple of weeks went by and we decided to try again to find working credentials from this company. We came across new logins and passwords. In the end, we didn’t even notice how we stumbled on the login and password we had found earlier. And oh my god — this time the login to Atlassian Cloud was successful. This story then worked with several other credentials that we hadn’t found before with no reconfirmation messages at all. And with no 2fa. These were clearly critical issues for the company. We sent reports and got a few triage and resolved states.
After a while, however, the company changed its position on the problem for other reports that were not triaged yet. Bug bounty policy was changed. And we were asked to make responsible disclosure reports to customers whose data were compromised.