Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira password exposed in Chrome Developer Tools

Anand Dandikar
Anand Dandikar February 4, 2021

Hi All,

Our IT Security reached out suggesting Jira passwords are exposed within the firewall. We have implemented Secure LDAP and Jira is running behind Apache firewall, with a valid GoDaddy cert and accessible from HTTPS. Jira Software Server version is 8.8.0. Screenshot as follows that shows Form Data with exposed password.

JiraPW.PNG

 

Anyone successfully masked this on Atlassian applications? Much appreciate any suggestions/pointers.

 

Thanks,

Anand

Answer
Watch
Like Be the first to like this
1102 views

2 answers

1 accepted

3 votes
Answer accepted
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 4, 2021

Hi @Anand Dandikar , great question - I can see how this could be concerning at first glance.

Although the connection between your browser and Jira (and Jira and your LDAP server) is encrypted, the endpoints have to have the decrypted data in order to do something with it. For example, when you type the password into the password field, your browser must have your raw (unencrypted) password in order to then encrypt it. This is what you're seeing in the developer tools. Chrome then encrypts the login and password before submitting it over the network.

The browser is going to be aware of your inputs - and there's no avoiding that. This isn't specific to Jira; it's any password field on any website. (see this Stack Overflow thread for more information)  But in order for an attacker to make use of that data, they'd need to have control over your local machine in order to extract it from Chrome before it becomes encrypted. At that point, they could also keylog your machine to intercept the characters before they even reach the browser.

I'm glad your IT team is considering application security! In this regard, the most important thing is making sure the connection is encrypted at the browser (Chrome will give you the padlock:

image.png

or throw some very angry warnings if the connection is not secure). With Apache running as a reverse proxy for Jira (presumably these are on the same machine / VM), and the connection encrypted between Apache and Chrome, you should be in good shape.

Cheers,
Daniel | Atlassian Support

View More Comments
Anand Dandikar
Anand Dandikar February 5, 2021

Thanks @Daniel Eads  What you explained about data being encrypted after they leave the client makes sense. So, Apache doesn't go that far as to encrypt it directly from the login form, huh! It would be interesting to know how the packet transfer between client, to AD Server, Application server and database server once we hit login button on Jira. Any configurations possible at all from Apache or Tomcat's server.xml? Or any other way to encrypt it aside from Apache and Tomcat?

Like
Reply
0 votes
Sudarshan
Sudarshan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 4, 2021

Hello @Anand Dandikar 
I just informed the Atlassian team about this and its being looked into.

is there a a proxy involved at your site.?

View More Comments
Sudarshan
Sudarshan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 4, 2021

ok there you go , @Daniel Eads  thank you for the immediate response.!

Like Dave Liao likes this
Anand Dandikar
Anand Dandikar February 5, 2021

Thank you @Sudarshan, yes we are running Jira behind Apache reverse proxy and using HTTPS with GoDaday cert.

Like Sudarshan likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
DEPLOYMENT TYPE
SERVER
VERSION
8.8.0
TAGS
AUG Leaders

Atlassian Community Events

    See all events