Dear community,
I have a question regarding a security issue that has come to our attention inadvertently. Allow me to provide you with the following account:
Our Jira administrators have implemented a range of security policies to ensure compliance with ISO27001 standards. One of these policies is the activation of two-factor authentication. This feature is functioning correctly on our Jira site, in conjunction with a session idle timer, to minimize the risk of unauthorized access (and more reasons why idle timers are beneficial are outlined below).
Recently, one of our colleagues noticed that they could always access their Jira application without having to reauthenticate. After conducting tests, we discovered that logging in once on the Jira app allows continuous access without any further authentication required. We consider this to be a significant vulnerability and have reached out to Atlassian to inquire why the app does not adhere to the security authentication policies we have implemented in Jira. Their response indicated that it is not a frequently requested feature and therefore will not take action until it gains sufficient traction.
For those of you who may not recall the advantages of session idle timers as a good policy, here are some reasons:
Security: Idle timers help protect against unauthorized access when users leave their sessions unattended. By automatically logging out inactive users, idle timers reduce the risk of unauthorized individuals gaining access to sensitive information or performing malicious actions.
Privacy: In environments where multiple users share devices or workstations, idle timers ensure that personal or confidential data is not visible to the next user. Automatically ending idle sessions helps maintain privacy and prevents accidental exposure of sensitive information.
Compliance: Certain industries and regulatory standards require the implementation of session management controls, including session idle timers. By adhering to these policies, organizations demonstrate their commitment to compliance and can meet the necessary requirements.
User accountability: Idle timers encourage users to actively manage their sessions and promote a culture of security and responsibility. It reminds users to log out or lock their sessions when not in use, reducing the risk of unauthorized access in shared environments.
Overall, session idle timers serve as a practical security measure, promoting both privacy and resource efficiency while aligning with various industry best practices and compliance requirements.
I would like to pose a question to you: Are you familiar with this security issue, and what is your opinion regarding this vulnerability?
If you believe that this issue should be addressed, I kindly request your participation in voting on this matter. Your vote will help us advocate for the resolution of this issue: https://jira.atlassian.com/browse/ACCESS-816
Kind regards,
Faroek
