On November 21st a Tech Rat team member reported to the rest of the team that they had logged into Jira as another user. This behavior is consistent with the previous incidence of cross-session authentication, where a tentative fix was deployed, along with extensive logging to ensure further incidents were traceable.
The logging information supplied sufficient information to identify the root cause of the problem, a singleton instance of a web request API on the frontend. The problem has now been patched.
Nov 22 14:36 UTC – Tech Rat team member logged into another user, and reported it to his fellow teammates.
Nov 22 18:44 UTC – The issue was verified and steps to trace down the root cause began.
Nov 22 23:35 UTC – A fix to the website was pushed.
Nov 22 23:55 UTC – The fix was verified after testers replicated the conditions that would have triggered the bug.
The issue was caused by a programming error on the front end website’s code that did not account for potential race conditions when handling web requests triggered from the server side. The OAuth2 flow for authenticating users against third party applications includes the front end sending a HTTP GET through a singleton Axios instance on the server, containing the user’s auth token as read from the user’s cookies. This is the point of vulnerability, as a second request arriving while the first is being processed overwrites the token in the Axios instance.
The deployed fix ensures that all requests being sent to Axios now sets the user’s token.
The incident was expected, as the fix to the previous incident was not verified. Thus, the occurrence was handled expediently in the tech team, and the additional logging provided the needed clues to what was happening. Once the root cause was identified, the fix itself was easily applied. No personal information was leaked during the incident.
Frontend website code was patched to ensure that all requests to the API are sent using the correct user context. Further information about the previous incident is available here.