2 min

The default password of Atlassian Confluence accounts circulates on Twitter. The password makes it possible to access the internal data of Confluence users.

Atlassian Confluence is a content management solution. Organizations use the software to write and share internal project information in a secure environment. That’s the idea, anyway. For some, the environment is all but secure.

On Wednesday 20 July, Confluence’s developer announced a serious vulnerability. Atlassian stated that an optional application for Confluence stored a default account password in its source code. The optional application is called ‘Questions for Confluence’ and has over 8,000 installations.

The application creates an account during installation. Anyone with source code access can view the account’s default password. The account, in turn, provides access to the project information and user data of Confluence users.

The vulnerability is critical, as some Confluence environments host sensitive company and project data. Meanwhile, the default password circulates on Twitter. Users can protect themselves with a workaround, but anyone that fails to take measures risks a data breach.

Problem and workaround

The vulnerability is present in ‘Questions for Confluence’ versions 2.7.x to 3.0.x. The software creates a default account during installation. The account helps administrators move data between the application and the Confluence Cloud service. The account’s default credentials are out on the street.

Patching won’t solve the problem. The account remains stored in between versions, meaning anyone that installed the app between versions 2.7.x and 3.0.x is at risk. Atlassian advises Confluence users to search their account registry for the following login credentials: ‘disabledsystemuser’ and ‘dontdeletethisuser@email.com’. Delete the account as soon as you find it. From thereon, the leaked credentials are harmless.

Finally, Atlassian recommends checking whether the account has been used in the past. The organisation shared a guide on its website.