Security update for Google Analytics in Jira Cloud

The Google Analytics in Jira Cloud app has been updated.

There are 2 main functional differences that you need to be aware of:

  • Configuration is now stored within the app itself

  • Anonymous users can now be tracked

Why change now?

As part of the Atlassian Marketplace Bug Bounty Program, our apps are investigated by security researchers. This has lead to the discovery of a privilege escalation bug in the way the app's configuration is saved to Jira.

To fix this bug, we have taken the decision to rearchitect the app using Atlassian’s own Atlassian Connect Express framework and store the configuration (which was previously stored in Jira) within the app itself.

What are the implications of the privilege escalation bug?

Only an administrator should be able to configure the app.

The privilege escalation bug allowed a logged in user who has previously logged in as an administrator to copy the session data from this administrator session and then login as a user with lower privileges and update the configuration as if they were an administrator.

How could this manifest in your Google Analytics data?

If the Google Analytics accounts details were incorrect, you would see a complete drop in your Google Analytics data.

Could an unauthorised person access your Google Analytics account?

No. Only persons who have authorised access to a Google Analytics account managed by you would have access to the data and reports.

What data is stored within the app after the update?

We store only the minimal data that is absolutely essential for the working of the app.

From Google Analytics we store:

  • Account ID, Internal Web Property ID and View ID - each are numeric, and allow us to display Google Analytics data inside Jira on your behalf

  • Web Property ID - a string e.g. UA-XXXXX-YY - which allows us to send tracking data to Google Analytics on your behalf

The data is saved in the following format within the app's datastore:

1 2 3 4 5 6 { "accountId": "987654", "internalWebPropertyId": "987654321", "webPropertyId": "UA-9876543-21", "viewId": "234567899" }

From Jira, we optionally store a list of entitled groups which allows members of the groups to have access to the Google Analytics report pages within Jira

The data is saved in the following format within the app's datastore:

1 ["site-admins","jira-admins-dsapps-001","jira-software-users-dsapps-001"]

Do I need to do anything to update the app?

The update should install automatically over the coming days, but just in case that is not the case for your Jira instance, in Jira, go to Apps | Manage your apps in the top menu, find Google Analytics in Jira from the list of apps. If the update has not taken place, click on the Update button on the right hand side.

Further details on updating apps: https://confluence.atlassian.com/upm/updating-add-ons-273875710.html

Upon update, the existing settings should automatically be migrated into the app's datastore.

If for any reason the settings do not automatically migrate, you can simply reapply the settings on the configuration page.

Anonymous users can be tracked?

Yes, that's right. While we were storing the configuration settings within Jira, anonymous users could not access the configuration settings, so without the Google Analytics Web Property ID, we could not track anonymous users on your behalf.

Now that we have moved configuration settings within the app, we can securely access the configuration information from within the app for all users, so can now send tracking data for both logged in and anonymous users.

Any questions?

If you have further questions about this update, please email us at support@dsapps.dev or open a support ticket.