The bug was detected by Positive Technologies expert Mikhail Klyuchnikov, who discovered the vulnerability in a package called Jira. The package which is system for bug tracking and project management. Jira Software is part of a family of products designed to help teams of all types manage work.
The discovered vulnerability (CVE-2020-14181) was assessed as possessing a medium severity level. The company has sinced corrected the error, although the implications are important to unravel and the lessons from the incident can inform as to putting in place future controls.
The form of the discovered vulnerability allows hackers to extract sensitive information relating to the system users.
Klyuchnikov, tells Digital Journal that these types of vulnerabilities serve to “help attackers to significantly save time in their attempts to breach systems.” Of particular concern is the means to “determine the presence of an account with a particular login in the system”, whereby hackers can “identify which users are present in the system.”
As an example, Klyuchnikov says: “If a login exists, the system discloses the user’s personal data and if a login is not found, the system reports it. But by bruteforcing the existing logins, hackers could go on to bruteforce the passwords of each existing user.”
Furthermore, the expert says: “The vulnerability reduces the time hackers would need and decreases the probability of being detected.”