Jira Auth Bypass bug in Google Acquisition (Apigee)

Jayateertha Guruprasad
2 min readFeb 25, 2021


I was looking for blogs on GoogleVRP reports as well as noting down it’s popular aquisitions.

Then I found a blog (https://tutorgeeks.blogspot.com/2018/08/misconfigured-jira-setting-apigee.html ) which talks about unauthenticated Jira instance leaking dashboard name ,project title and user profile picture by applying filters.

It also mentions ,the website supports only logging in with @apigee.com email address,So I thought why not try logging in using Google OAUTH. I signed in using my Gmail account and got successfully logged in !!!

Now I visited https://apigeesc.atlassian.net/jira/dashboards?view%3Dpopular ,it was leaking dashboard names and project titles along with user display pictures.

If you visit the link unauthenticated you can’t find these information ,so it’s a Auth Bypass bug I could login to internal Jira instance using OAUTH sign-in using Gmail account.

Now , I didn’t stop here , I ran a nuclei scan against the website with Jira templates.

I found a endpoint through which I can access the same information without authentication. (https://apigeesc.atlassian.net/rest/api/2/dashboard?maxResults=100)

This provided JSON output even for unauthenticated users.

So ,I found a way to access dashboard using authenticated way(OAUTH login) and also unauthenticated way using rest API.

1.Attacker is able to find employee details of apigee working in a specific
2.Apigee’s new feature or severe bug in project title can be leaked.

3. Moreover when I was authenticated ,I was also able to create private dashboards.

I made a nice report explaining everything and reported to GoogleVRP.

The bug was accepted, rewarded ($xxx) and fixed.




Liked my article ? Follow me on twitter (@jayateerthaG) and medium for more content about bugbounty, Infosec, cybersecurity and hacking.



Jayateertha Guruprasad

I get paid for breaking things !