How I accidentally hacked many companies using N/A vulnerability in Atlassian Cloud

Below you will learn in detail about the discovered vulnerability that allowed me to get about 15000$ in bounty with all secrets from the Atlassian cloud. This story happened about a year ago. And I did not publish it immediately for ethical reasons.

It all started the day my friend and I decided to look for vulnerabilities of a company with a big scope at Hackerone. The company allows critical vulnerabilities outside of the scope. And the first thing that came to mind was to look for various leaks on Github. It didn’t take long for the results to come in. We stumbled upon the company’s employee work credentials. The credentials themselves were not very useful. After trying our fate on a few login forms, we realized that this could not be a critical vulnerability. Finally, my friend decided to check that login and password pair at atlassian.com. And there was an interesting result. He logged in, but after logging in he got a page asking him to confirm his account. Since we were not able to get access to the user’s email inbox to verify leaked account, we decided to give up. But at the end of the form with the proposal to confirm the account, my friend decided to click on the reconfirmation button.

A couple of weeks went by and we decided to try again to find working credentials…