SECURITY ISSUE during login procedure of managed users

Stefaan Vandaele
Contributor
October 16, 2024

 

Hi,

The login procedure for managed users contains a dangerous security issue.

Steps:

- The managed user wants to use the Confluence/Jira site of the company

- The user does not remember the exact URL of the site and performs a search

- The user clicks on one of the search results and selects one of the buttons "Get Confluence", "Get Jira", etc...

- The users enters their work email and uses the identity provider login (IDP)

- The user gets logged in through the IDP

Expected results:

- Atlassian knows that the user is a managed user that belongs to an organization

- The organization has already one or more EXISTING sites

- Atlassian should redirect the user to a page offering a choice between the EXISTING sites

Actual results:

- The user is redirected to a signup page which also contains a "welcome back" message, tricking the user into thinking they are on the right track

- The page contains a prefilled edit box with a site name that contains the organization name.

- Because the site name contains the organization name, the user thinks he is still on the right track and clicks the blue button

- In the next step a NEW organization and a NEW site are created

- The user is still not aware that he is working outside of the organization and can start entering confidential company data into this new site This security issue requires urgent fixing.

Proposal:

- A managed user of an organization should not be allowed to create new sites

- Only organization admins are allowed to create new sites

Thanks,

Stefaan

7 answers

4 votes
Dirk Ronsmans
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 16, 2024

Hi @Stefaan Vandaele ,

That is indeed something that happens way too often (unfortunately).

At this time, there is no way for an organization admin to block the unauthorized creation of a site/organization by a managed user. At best if you have Atlassian Guard, they will be notified and you can remove the newly created site.

We've taken this up with Atlassian plenty of times but sadly this is the reality that happens way to often still.

Stefaan Vandaele
Contributor
October 16, 2024

Hi @Dirk Ronsmans ,

Atlassian is really tricking the user into creating a new site.

A more responsible role of Atlassian could be to guide the user towards existing products and sites for the organization.

Do you mean that Atlassian is not willing to do that?

Stefaan

Like # people like this
Jason M.
Contributor
October 25, 2024

@Stefaan Vandaele  For everyone aware of the related Atlassian requests (CLOUD-10325, ID-7697, etc), I think we're all in agreement now this is not (nor ever was) a bug, oversight, or security oversight by Atlassian.

Given the blatantly insincere & infrequent communications, the misdirection, and all too convenient tie-ins with boosting subscription #s...this is either a legacy "feature" some codgy ol big-wig still thinks is legitimate, or it ties into some other internal financially-driven motive down the road.

3 votes
Sarp Egemen
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 16, 2024

I, out of curiosity, wanted to try this, and you are exactly right @Stefaan Vandaele.

It is really tricky.

When searching in google for Jira or Confluence, if a user clicks on the link below as shown in the search results:

https://www.atlassian.com/software/jira/free
https://www.atlassian.com/software/confluence/free

If they are already logged in (have the authentication cookies), they are directly prompted to create a new environment with a suggested URL pre-filled, resembling the company's actual URL.


ss-conf-createnew.png

John Funk
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 16, 2024

Hi  Stefaan  - Yes, hearing this a lot lately. Maybe someone from Atlassian will come address. 

Like Dave Liao likes this
Jason M.
Contributor
October 25, 2024

From all indicators from Atlassian in the public forum thus far, this seems more like a shady strategy that's been enforced by someone (or some group) within Atlassian with significant sway/influence. This individual or group takes Atlassian customers for fools if they thought this strategy would just slide by.

Factoring in how this issue/bug has been poorly managed & communicated with customers, the blatantly disengenuous representation of this non-'solution', followed by an immediate internal directive for product teams to close all tickets related to the request...we should all be in agreement by now what's going on.

Like Joe.Noel likes this
Joe.Noel
Contributor
October 28, 2024

Someone from my company attended Team '24 and spoke with a few folks from Atlassian. They reportedly said it was an intended feature and didn't see it being changed anytime soon.

Like Jason M. likes this
2 votes
Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 16, 2024

Ohey @Stefaan Vandaele ...

In the immortal words of John McClane said, "Welcome to the party, pal!"

I wrote a tiny bit about this here:
Why is Atlassian promoting Shadow IT? Or Accidental IT? 

And people are NOT happy in a few of the tickets that seem to address this:

  • CLOUD-10325 - Allow non-Enterprise administrators to control managed users' associated sites and products
  • ID-7697 - Prevent managed users from creating cloud site using a verified domain.

(An Enterprise-only feature allows admins to prevent managed users from creating sites. This functionality has now been extended to Premium Trello and Bitbucket plans.)

Thanks for the pointer here, @Dirk Ronsmans ...

Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 16, 2024

Oh yeah, and folks are not happy about here either:

Like Dave Liao likes this
1 vote
Joe.Noel
Contributor
October 16, 2024

What troubles me most about this is that the tickets regarding it (many of which are years old) are being closed and flagged as "resolved."

0 votes
Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
January 28, 2025

Hi all - trying to get the word out:

@Charles Blaxland has gotten @Derrick Nguyen to file this Suggestion:

I think all the major points are covered, so I look forward to everyone voting it up.

I don't look forward to Atlassian letting it languish for several years. :-/

Thanks a lot Charles and Derrick!

0 votes
Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 8, 2024

Hi @Stefaan Vandaele - as you recently commented in CLOUD-10325, I had forgotten that "the situation was different (and even worse) for the customers who don't have Atlassian Guard." 

It prompted me to create a new post: 

You are spot on here:

  • Managed users: the users are "managed" but what does this mean? In my opinion, the company must have control over those users and what they can do or can’t do on the platform. But not for Atlassian! For them, a "managed" user means a user that belongs to a claimed domain, that's all! On the contrary, Atlassian guides our “managed” users away from the “premium” managed environment, and allows (and encourages!) them to subscribe for new products outside of the managed environment! This shadow IT is a major security hazard!
0 votes
Stefaan Vandaele
Contributor
October 31, 2024

FYI, CLOUD-10325 has been updated yesterday (Oct 30):

"Hi everyone,

We have been closely monitoring this ticket and would like to take a moment to address your questions and provide the rationale for closing this ticket.

When we first launched product requests last year, we decided to package this feature as part of the enterprise plan based on our data-backed analysis, which included an analysis of market standards.

Following this decision, we kept this ticket open to continue to monitor feedback from our small-to-medium customers. The feedback you provided led us to further invest in an Atlassian Guard Standard (formerly Atlassian Access) feature called automatic product discovery.

In the last year, the team worked to release ‘add admin’ functionality, making the feature more actionable. Now, an admin can take over the discovered product and determine the appropriate next steps. We have a dedicated community post outlining this process here. Automatic product discovery is not limited to the enterprise plan and any customer of any size can purchase as subscription for Atlassian Guard Standard to gain access to this feature.

We will keep this ticket closed and appreciate your understanding, as well as your time to comment and interact here.

Griffin"

 

Joe.Noel
Contributor
October 31, 2024

Did they not see the part where the burden of adding yourself as an admin, removing other members, and tediously requesting to terminate the add'l licenses/products is the problem?

I should certainly hope that admins would be notified when something that is a security issue is created. That is quite literally the bare minimum functionality they can provide.

Geeze.

Like Dave Liao likes this

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events