Jira Auth Bypass bug in Google Acquisition (Apigee)

I was looking for blogs on GoogleVRP reports as well as noting down it’s popular aquisitions.

Then I found a blog (https://tutorgeeks.blogspot.com/2018/08/misconfigured-jira-setting-apigee.html ) which talks about unauthenticated Jira instance leaking dashboard name ,project title and user profile picture by applying filters.

It also mentions ,the website supports only logging in with @apigee.com email address,So I thought why not try logging in using Google OAUTH. I signed in using my Gmail account and got successfully logged in !!!

Now I visited https://apigeesc.atlassian.net/jira/dashboards?view%3Dpopular ,it was leaking dashboard names and project titles along with user display pictures.

If you visit the link unauthenticated you can’t find these information ,so it’s a Auth Bypass bug I could login to internal Jira instance using OAUTH sign-in using Gmail account.

Now , I didn’t stop here , I ran a nuclei scan against the website with Jira templates.

I found a endpoint through which I can access the same information without authentication. (https://apigeesc.atlassian.net/rest/api/2/dashboard?maxResults=100)

This provided JSON output even for unauthenticated users.

So ,I found a way to access dashboard using authenticated way(OAUTH login) and also unauthenticated way using rest API.

Impact:
1.Attacker is able to find employee details of apigee working in a specific
project/team.
2.Apigee’s new feature or severe bug in project title can be leaked.

3. Moreover when I was authenticated ,I was also able to create private dashboards.

I made a nice report explaining everything and reported to GoogleVRP.

The bug was accepted, rewarded ($xxx) and fixed.

References:

https://hackerone.com/reports/332586

https://tutorgeeks.blogspot.com/2018/08/misconfigured-jira-setting-apigee.html