It was possible for a third party website to retrieve information about the currently logged in user via the Bitbucket API. This data included email addresses, SSH public keys, and repository information.

This vulnerability was first reported and patched in mid-2012. It was rediscovered and patched again in mid-2013.

What is JSONP?

From http://en.wikipedia.org/wiki/JSONP:

JSONP or “JSON with padding” is a communication technique used in JavaScript. It provides a method to request data from a server in a different domain, something prohibited by typical web browsers because of the same origin policy.

I gave a presentation late last year which has a bit more information on JSONP and more examples of sites that had JSONP-related vulnerabilities in the past (including the original instance of this vulnerability).

Vulnerability Details: Mid-2012

Back in 2012, Bitbucket’s REST API was accessible at https://api.bitbucket.org/1.0/. The API at that URL was meant to use OAuth tokens for authentication. In my investigation, I discovered that the API could also be accessed via a second URL, https://bitbucket.org/!api/1.0/. The difference between the two was that the second URL could authenticate requests using the browser’s cookies. Both forms of the REST API supported JSONP via a callback parameter passed in the URL.

As a result, it was possible for a third-party website to add a <script> tag that would pull in user information via JSONP API queries. To demonstrate the issue I built a proof of concept page which would make simple queries to the API. Those queries could uncover user information, email addressed, and SSH keys linked to an account. More complicated queries (ie: those involving repositories that the currently logged in user could access) were possible as well although not built in to the proof of concept.

I reported the issue to security@atlassian.com and it was patched approximately six hours later.

Vulnerability Details: Mid-2013

In mid-2013 I retested the site and discovered, to my surprise, that the vulnerability had reappeared. Looking at the API documentation, the main endpoint had been moved to https://bitbucket.org/api/1.0. Now no matter which URL I used I was able to extract user information via JSONP. In addition, although the API endpoints I used to fetch email and SSH public key information were no longer documented, my existing proof of concept worked without any modifications. I reported the issue to Atlassian again and it was patched again.

Disclosure Timeline

  • May 30th, 2012 11:08 AM: Initial email with proof of concept sent to security@atlassian.com.
  • May 30th, 2012 6:48 PM: Response from Atlassian, fix has been rolled out. Ask for confirmation that issue has been resolved.
  • May 30th, 2012 6:58 PM: Reply to Atlassian confirming fix.
  • June 11th, 2013 11:11 AM: Email sent to security@atlassian.com informing them that vulnerability has reappeared. Included previous correspondence, link to proof of concept.
  • June 11th, 2013 8:36 PM: Reply from Atlassian, claim that vulnerability was patched last year and that patch was still in place.
  • June 11th, 2013 8:56 PM: Email sent to Atlassian, disputing assertion that vulnerability is patched. Screenshots and additional information related to proof of concept attached.
  • June 11th, 2013 9:09 PM: Reply from Atlassian, confirming that vulnerability has reappeared.
  • Prior to June 26th, 2013: Testing confirms that vulnerability is patched in production.
  • June 26th, 2013: Published blog post