Hello, welcome to the Monday, August 5th, 2019 edition of the Sansonet Stormson.

My name is Johannes Ulrich.

And I'm recording from Jacksonville, Florida.

We've got a nice blog post by Avinajian.

And he's talking sort of about a follow-up of some discovery that he made a couple months ago

about exposed Jira servers.

Now, back a couple months ago, it was in particular about a NASA Jira server that he found,

but he took that a little bit further.

And what he found was literally hundreds,

if not thousands of GERA servers, some of them belonging to Fortune 500 companies that are

exposing user details. The problem here is that in GERA, when you're setting up a project, by default, the visibility

is set to all users and everyone, which actually means, well, literally all users, not just

users that are registered with the server.

Instead, it exposes, for example, user names and email addresses as well as their

roles and gira groups to anybody who comes across that gera server.

jera is quickly becoming sort of one of those systems that you probably should not expose to the public internet at all. Now, this can be tricky

given some of the global nature of some development teams, but maybe protected behind VPN or

some other form of additional layer of authentication,

maybe a better idea.

Avinaj was able to find some of these servers

with simple Google queries

because after all, Google knows everything.

...