Connect with us

ZDNET

Best music service 2021: Premium music streaming apps

Published

on

Sure, you can listen to live radio or stream music for free. And if music is just background noise, then you might be willing to put up with ads and the occasional inability to skip a track you don’t really like in a music streaming service’s free tier. But if you’re a real audiophile, you’re probably willing to pay for a subscription service to rid yourself of those annoyances. You have plenty of online options to choose from, as we learned in researching this guide.

Most of the mainstream services have access to the same collection, encompassing tens of millions of tracks from major labels and most independents, and some (but not all) offer free versions. What do paid subscribers get? For starters, ad-free streaming, along with the ability to save content for offline listening and stream any song or album on demand. Most also offer some combination of custom playlists, smart DJs, artist-inspired radio stations, and other new music discovery options based on your previous listening history.

Also: Best free music service in 2021

A few of the services in this list of best music streaming services also offer the option to buy music and add it to your collection, and several others include tools to upload tracks from your personal collection to mix and match with the online catalog. For an extra few bucks a month, music fans with golden ears and high-end hardware can upgrade from compressed audio to ultra-high-quality lossless streams.

Family plan includes up to six accounts, but only if you’re all at the same address

spotify-logo.png

Plans and pricing: Individual, $10 per month; Family Plan, $15 per month for up to six accounts “for family members living under one roof”; Student (at “accredited higher education institution”), $5 per month, includes ad-supported Hulu and Showtime streaming. Also has a free version.

The 800-pound gorilla of music apps earned its top status by being downright addictive, with some of the best smart playlists around and extensive support for podcasts. It also has the best social connections, as long as you’re willing to connect your Facebook and Spotify accounts. You can share playlists easily without having to involve Facebook, and you can always stream your guilty pleasure tracks in a private session if you don’t want your music snob friends to know you’re crushing on Coldplay or Nickelback. Be aware of a big gotcha in the family plan, which allows family members to share the account only if they’re at the same address. That’s a problem if your kids are away at college in another city.

Our favorite Spotify feature, by far, is the ability to switch outputs on the fly, so you can flip in midstream from the smart speaker in your office to your living room’s big sound or from your desktop app to your phone without missing a beat. The service also lets you upload personal content, although the procedure is for doing so is cumbersome. For years, Spotify’s 10,000-song limit was frustratingly easy for a diehard music fan to hit. As of May 2020, however, that limit is officially removed.

$10 at Spotify

Get iTunes exclusives and upload your own collection

apple-music.png

Plans and pricing: Individual, $10 per month; Family, $15 per month for up to six accounts using iCloud Family Sharing; Student (“college Student only, verification required”), $5 per month, includes Apple TV+ access.

If you love iTunes on your iPhone, you’ll love Apple Music. Steve Jobs and his successors have been leaders in digital music for two decades, and even if they were late to the subscription and streaming party, they’ve since made up for lost time. Apple Music has an enormous library that includes some iTunes-exclusive albums and tracks, as well as curated playlists and live radio. The service is available on a surprising number of platforms, including Android devices and even Samsung Smart TVs.

Using a signature feature of the service, you can upload your personal music collection to the iCloud Music Library. The good news is that your quota is a generous 100,000 tracks, and those you purchased from iTunes or downloaded for offline listening don’t count in that total. The bad news is you’ll need to use the iTunes software on a PC or a Mac to accomplish that upload. Those who have a love-hate relationship with Apple’s legacy music client will just have to grin and bear it.

$10 at Apple

Huge catalog, slick apps, best for personal collections

youtube-music-premium.jpg

Plans and pricing: Individual, $10 per month; Family, $15 per month for up to six people; Student, $5 per month, with annual verification required

For years, Google’s subscription music service was called Google Play Music. In true Google fashion, the company killed off that product in 2020, replacing it with this spin-off under the YouTube brand. As a longtime fan of the original service, I’m happy to report that YouTube Music Premium is a worthy upgrade. (The music service is also included with ad-free YouTube Premium subscriptions, which cost $12 per month or $18 for a family plan.)

If you’re comfortably ensconced in the Google ecosystem, this service has a lot to offer. Its algorithmic playlists are extensive and smart, its streaming catalog is huge, and the apps for iOS, Android, and the Chrome browser are slick and easy to use. Even with a free account, you can upload up to 100,000 tracks from your personal collection using a desktop browser. Unlike other services, which limit uploads to compressed MP3 or AAC formats, YouTube Music allows you to upload FLAC, M4A, OGG, and other high-fidelity tracks. And even with a free account you can play those uploaded tracks in the background and download them for ad-free, offline listening.

$10 at Google

Best for Amazon Prime members

amazon-music-unlimited.jpg

Plans and pricing: Individual, $10 per month ($8 for Prime members); Family, $15 per month for up to six accounts; Single device, $4 per month for one Echo or Fire TV device; Student at accredited college or university, $5 per month ($1 for Prime members)

Amazon’s entry in the streaming category is exactly what you would expect. It has a huge selection, offers apps on every platform, and can be controlled using voice commands (“Alexa, play Erykah Badu”) on a wide variety of devices. At $4 a month, the single-device plan offers an economical option for listening to tunes on one of Amazon’s Echo devices. For an extra five bucks a month, you can upgrade to Amazon Music HD, which delivers lossless, uncompressed audio for albums and songs that are available in that format.

The service makes the most sense for Amazon Prime members, who get a $2 per month discount and can get an even bigger discount by paying $80 for an annual Prime Music subscription. If you have a personal music collection, however, this service falls short. Amazon eliminated its upload option several years ago, and the selection is limited to tunes you stream or those you’ve purchased directly from Amazon.

$10 at Amazon

High-end sound from an artist-focused service

tridal.png

Plans and pricing: Premium, $10 per month ($13 in App Store); Hi-Fi, $20 per month ($26 in App Store); 50% discount for up to five additional family members on either plan

Tidal landed with a very big splash when it debuted in 2015, thanks to its high-profile owners, a group of A-list musicians led by Beyoncé’s spouse, Shawn “JAY Z” Carter. The service’s commitment to artists is well documented on its transparency-focused FAQ page, which includes some charts showing how its subscription fees are distributed. Although there is no free option, Tidal does offer a 30-day free trial period.

Audio quality, though, is where Tidal stakes its main claim to fame. The Premium “Tidal Masters” plan promises the highest quality music available in a streaming service, while the Hi-Fi plan delivers uncompressed tracks for lossless audio. Whatever you do, though, don’t sign up from inside the Tidal app on an iOS device, unless you are eager to give an unnecessary 30% tip to Apple. Also be aware that Tidal users report (and I can confirm) that the iOS app doesn’t play well with Apple CarPlay, so use that free trial period to do your own tests before paying.

$10 at Tidal

Original studio recording quality

qobuz-mac-iphone.jpg

Plans and pricing: Studio Premier, $15 per month or $150 per year; Sublime+, $250 per year

Did your home audio system cost as much as your car? Then please allow us to introduce you to this service, founded in France in 2007, which is laser-focused on delivering recordings (for streaming or purchase) that are “as close to the original studio recording as you can get.” Those recordings sound perfectly good on more modest systems, too.

Qobuz has a quirky vibe, with podcasts and playlists that cover far different territory than the mainstream pop/rock content you find in other services. If you’re looking for the extensive selection of algorithmic playlists you get with Apple Music or Spotify, you’ll be disappointed; but if you know exactly what you like, you’ll appreciate the easy-to-navigate interface. The mobile app works smoothly with Apple CarPlay, for those who paid for the upgraded sound system in their car. Like Tidal, Qobuz supports a long list of high-end hi-fi equipment; it’s also available as a Progressive Windows App that plays well with Chrome and Microsoft Edge on Windows PCs and Macs.

This service also wins the contest for coolest name: The founders say they borrowed the Qobuz name from the ancient word Kobyz, a sacred musical instrument that originated in Kazakhstan.

$15 at Qobuz

Generic feature set

napster.png

Plans and pricing: unRadio, $5 per month; Premier, $10 per month; Family, $15 per month

I know what you’re thinking: Napster, the poster child for music piracy that was shut down by court order two decades ago, is still around? Yes, it is. Well, the brand name survives, anyway, after being bought by Best Buy in 2008 and then sold to Rhapsody (another 1990s hit) in 2011. The service is now mostly used to power third-party services like iHeartRadio but the standalone service still has a small but loyal following. If you’re in the mood to party like it’s 1999, you can still pay your money and stream away with a feature set that’s pretty generic.

$5 at Rhapsody

Non-corporate vibe

deezer-home.jpg

Plans and pricing: Premium, $10 per month or $120 per year; Student, $5 per month; Family, $15 per month for up to six profiles

Deezer was the first streaming music service in France, and more than a dozen years later, it survives worldwide with a decidedly non-corporate vibe. A free account gives you 30-second previews of tracks in the web browser but plays full tracks (with ads) on mobile devices. Upgrading to Premium unlocks playback in the web browser (and in the Windows progressive web app) and removes the ads.

Deezer’s special sauce is an algorithmic recommendation feature it calls Deezer Flow, which generates “an infinite mix of favorites and new tracks” based on your feedback. You can choose lossless audio for $20 a month. You can also upload personal MP3 tracks using any web browser, but you’re limited to 2000 such tracks.

$10 at Deezer

Comedy and podcasts too

pandora.png

Plans and pricing: Plus, $5 per month; Premium $10 per month

Pandora is the original set-it-and-forget-it, just-play-me-what-I-like service. It started with the Music Genome project, which led to the algorithm that powered Pandora’s personalized playlist builder, fine-tuned by thumbs up/down recommendations. Pandora Premium is an effort to compete with the more album-focused services that goes beyond the usual stations and allows subscribers to choose individual tracks. The service includes comedy and podcasts as well as music. 

$5 at Pandora

Why are some albums and tracks not available on music services?

The digital catalogs that music streaming services can draw on are governed by contracts between each service the rights holders (artists, songwriters, publishers, and record labels). Some artists (usually big names with market clout) choose to opt out of allowing streaming. In addition, some older albums especially those that are on smaller independent labels, might not be available for streaming. The workaround, if you have a copy of the album in a standard digital format, is to use a service that allows you to upload your personal collection and keep it in your library alongside streaming tracks. YouTube Music is especially good at this task, with support for multiple high-quality formats even with free accounts, as we note in our capsule review above. 

Are high-quality streaming music services worth the extra cost?

Most music services deliver audio in compressed formats, using the MP3 standard and Apple’s AAC, typically at bitrates of 256 kbps that sound just fine for most people. High-fidelity services typically deliver uncompressed audio or compressed audio at higher bitrates. In a noisy environment, or on a pair of generic earbuds, you probably won’t notice the difference. But even an untrained ear can hear the audio difference on high-end headphones or in a quiet listening space equipped with large, audiophile-quality speakers and amplifier. Only you can decide whether that difference is worth an extra $5 a month or more.

Which music service is most popular?

The Chinese service Tencent Music claimed to have more than 650 million users in March 2020, making it the world’s largest by far, but most of the people listening to those tunes were using the free version, Among paid services, Spotify is still the champ, with more than 120 million paid subscribers and another 150 million users of Spotify’s free product as of March 2020. Apple Music is in second place, with more than 80 million paying customers as of September 2020. Amazon Music claims 60 million paying subscribers, but that includes the Prime Music tier that’s included with a Prime membership. YouTube Music probably has more than 10 million subscribers, but that number has not been publicly disclosed. 

Are there other music services to consider?

If your tastes in music are sufficiently off the beaten track that the mainstream services listed above aren’t satisfying, consider these specialized options.

Idagio Premium+

Classical music fans are inevitably frustrated by the most popular music services, which treat symphonies and concertos like third-class citizens. If you prefer Bach to Beck and would rather listen to Mozart than Maroon 5, check out Idagio. It offers two million tracks, a fraction of the 50-60 million tracks that the big pop-focused alternative services deliver, but its selection is exclusively focused on classical labels like Deutsche Grammaphon, Decca, and ECM. The paid plans offer major upgrades like lossless audio and the ability to connect to dedicated audio devices.

Primephonic

Join Primephonic and you’ll be in an exclusive club with about 150,000 members, run by absolute classical music fanatics. (Check out their “company values” page for details.) The service boasts of its “definitive catalog” of major labels and obscure indies, as well as smart search that’s built for classical music. (If you’re a classical fan, you know exactly how frustrating it is to find a specific performance on a mainstream music service.) The Premium plan delivers 320 kbps compressed tracks, while the Platinum option uses lossless FLAC streaming. The player streams at the highest sound quality available, including 24-bit recordings

Nugs.net

The tagline “Live music lives here” and the name, which comes from a slang for high-quality buds, tells you almost everything you need to know about this service. You won’t find the traditional pop/rock labels here. Instead, you can stream audio from more than 15,000 live shows, with jam bands like Dead and Company, Metallica, Pearl Jam, and the Dave Matthews Band topping the bill. Mobile apps on iOS and Android allow subscribers to download concert recordings for offline listening. (You’ll find your saved shows in the My Stash section. Old hippies will get the reference immediately.) The service also offers a selection of live concert videos on demand, and you can upgrade to a higher audio quality or purchase live recordings so you can burn them to CDs or even (shudder) cassette tapes.

LiveXLive Plus/Premium (Slacker)

If we had to describe this service, we’d probably go with something like “quirky, but in a good way.” The Slacker-powered LiveXLive focuses on concert and festival livestreams, with “handcrafted audio stations” as well as an interesting lineup of original shows and podcasts. For fans of live music who aren’t jam-band enthusiasts, this is well worth checking out.

What should you look for in a music service?

Most mainstream subscription-based music services are fairly similar in their broad feature set, with a large collection (50-75 million) tracks available for ad-free streaming and download, along with the ability to create custom playlists and sync them to multiple devices. For our money, the most important questions to ask before settling on a service are these:

  • How important are music recommendations? Apple Music and Spotify have the best collection of algorithmically generated playlists and curated collections. You pick a favorite artist or track, and the algorithm assembles a list of music you’ll probably like. Other, smaller services aren’t as thorough.
  • Does audio quality matter? After more than two decades of digital music, our ears have become accustomed to compressed sound, and most services deliver MP3 and AAC tracks at sufficient quality that your ears won’t hurt. But if you like to listen to exquisitely mastered tracks at full volume on high-end equipment, look for a service like Qobuz, Tidal, or Amazon HD, which specialize in super-high-fidelity recordings.
  • How much time do you spend in the car? In modern cars, Apple CarPlay and Android Auto have become standard features, making it easy to find exactly what you’re looking for. But not all mobile apps play well in these environments. We’ve had serious problems, for example, with Amazon Music and Tidal on CarPlay, and we’re not alone based on our research. For those who spend many hours commuting, we recommend using a service’s free trial period for a thorough road test. 

How did we choose these music services?

Our selections for this guide are based on market research and hands-on personal experience. For our selections, we included only services that are subscription-based, with a full selection of albums and singles from major record labels, with the ability to stream music on multiple platforms, without ads. The ability to save music for offline playback on mobile devices is also a must-have factor.

Using those criteria, we chose not to include a few services that were a less than perfect fit. That list includes SiriusXM, which is more of a radio network than a music service, and 7Digital and eMusic,  which focus more on selling music than streaming.

ZDNet Recommends

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/best-streaming-music-service/#ftag=RSSbaffb68

ZDNET

The human cost of ransomware: Disruption to Irish health service will continue for months

Published

on

Ireland’s health service faces months of disruption as it continues to recover from a ransomware attack, the head of the Health Service Executive (HSE) has warned. 

HSE, which is responsible for healthcare and social services across Ireland, fell victim to what was described as a “significant” ransomware attack on 14 May.

The attack has been attributed to the Conti ransomware gang. The cyber criminals provided HSE with a decryption tool for free but have threatened to publish information stolen in the attack – potentially a violation of patient privacy – if they don’t receive a ransom of a reported $20 million in bitcoinsomething that HSE vowed not to pay.

But even with the correct decryption key, restoring the network has been a slow and arduous task for HSE. Health services across Ireland remain disrupted as hospitals attempt to treat patients, despite limited IT services and no internet access – meaning appointments are still being delayed or cancelled.

SEE: Have we reached peak ransomware? How the internet’s biggest security problem has grown and what happens next

“The restoration process, and the accompanying due diligence exercise, is necessarily taking some time. Although we can effectively decrypt data, that is only one element. The malware must also be eradicated,” HSE CEO Paul Reid told the National Parliament (Oireachtas) Joint Committee on Health.

“Decryption takes much longer than the original encryption, and eradication involves additional tasks to ensure that the perpetrators have no access route back into our systems,” he added. 

Reid described how HSE has decrypted 75% of its servers, and 70% of end-user devices are now available to staff. However, disruptions to patient services are expected to continue for some time – despite IT staff, cybersecurity experts and Ireland’s defence forces working seven days a week to restore the network to fully operational status. 

“There is no underestimating the damage this cyberattack has caused. There are financial costs certainly, but there will unfortunately be human costs as well,” said Reid. “I assure members, and the public, that we are doing everything possible to restore the systems. I must also caution that it will likely take months before systems are fully restored.”

Due to the ongoing disruptions, HSE warns that emergency departments are very busy due to IT outages and significant delays are to be expected, while many X-ray appointments are being cancelled.

Essential and urgent services, including COVID-19 vaccinations, are operating, but patients are warned they could face delays because “systems are not functioning as usual” due to “critical IT systems” still being out of action in the aftermath of the ransomware attack.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Reid told the Committee that, following the ransomware, “significant learnings about further protections that can be put in place” will be made and the fact that the ransomware attack happened meant their were “obvious vulnerabilities” in the network.

He also warned that ransomware and the “highly skilled criminal organisations” behind ransomware attacks represent a significant risk to organisations across the globe. 

“The whole world needs to raise its game,” said Reid.

MORE ON CYBERSECURITY

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/irish-healthcare-ransomware-attack-three-quarters-of-servers-decrypted-but-disruption-to-services-will-continue-for-months/#ftag=RSSbaffb68

Continue Reading

ZDNET

Cybersecurity firms battle DMCA rules over good-faith research

Published

on

A cohort of cybersecurity companies has signed an open letter asking for reforms to existing DMCA rules in order to protect researchers. 

The Digital Millennium Copyright Act (DMCA), signed into US law decades ago, aims to protect intellectual property rights. 

However, IP laws can be abused by vendors to suppress research going public that could be damaging or embarrassing for a brand — and one area, in particular, Section 1201, has long caused cybersecurity professionals issues when it comes to research and disclosure. 

Section 1201 contains a number of anti-circumvention mandates, including the “circumvention of technological measures” to “descramble a scrambled work, to decrypt an encrypted work, or otherwise, to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.”

As explained by Bishop Fox researcher Dan Petro, encryption could be placed on an app, device, or within other software that is being tested, and this then means that a “technological measure” has been broken to access a vendor’s code. 

“So DMCA 1201 can quickly be abused as a magic wand you can wave to make any app or device illegal to inspect, reverse engineer, or find vulnerabilities in if you’re a vendor,” Petro added. 

An example cited by Bishop Fox is that of George “Geohot” Hotz, who was hit with a copyright infringement claim in 2011 after publishing a method for homebrew hacking PlayStation 3 consoles. The case was settled and Hotz received an injunction.

“Unfortunately, some companies hide behind Section 1201 to make their code, software, and other services illegal to assess from a security perspective,” the security firm noted. “By unintentionally (or intentionally) blocking security researchers and making these activities illegal, these companies hinder testing efforts that could benefit the public by protecting their rights and the privacy of their data.”

As an ongoing issue in the cybersecurity realm, the Electronic Frontier Foundation (EFF) has published an open letter signed by 23 organizations — at the time of writing — requesting an overhaul to existing rules. 

The statement says that existing DMCA provisions undermine and suppress “good-faith cybersecurity research,” with independent researchers often finding themselves in a legal firing line for responsibly disclosing weaknesses or vulnerabilities in software — and, simply put, we need this research to continue.

“Some of the most critical cybersecurity flaws of the last decade, like Heartbleed, Shellshock, and DROWN, have been discovered by independent security researchers,” the letter reads. 

Another issue with Section 1201 is noted in the EFF statement — that which prohibits “providing technologies, tools, or services to the public that circumvent technological protection measures” in order to access copyrighted property. 

Third-party tools are often used in security research, and this vague provision can also cause legal problems. While there is an exemption in DMCA law for software analysis, the companies argue that it is “too narrow and too vague” and does not go far enough to protect good-faith research as tools used must be for the “sole purpose” of testing. 

Signatories include Bishop Fox, Rapid7, McAfee, iFixIt, HackerOne, and Cybereason.

“We urge policymakers and legislators to reform Section 1201 to allow security research tools to be provided and used for good-faith security research,” the letter reads. “In addition, we urge companies and prosecutors to refrain from using Section 1201 to unnecessarily target tools used for security research.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/cybersecurity-firms-battle-dmca-rules-over-good-faith-research/#ftag=RSSbaffb68

Continue Reading

ZDNET

BIOSConnect code execution bugs impact millions of Dell devices

Published

on

Researchers have discovered a set of vulnerabilities that can be chained together to perform code execution attacks on Dell machines. 

On Thursday, Eclypsium said the vulnerabilities, which together equate to a critical chain with a cumulative CVSS score of 8.3, were discovered in the BIOSConnect feature within Dell SupportAssist. 

Altogether, the security flaws could be exploited to impersonate Dell.com and attack the BIOS/UEFI level in a total of 128 Dell laptops, tablets, and desktop models, including those with Secure Boot enabled and Secured-core PCs, owned by millions of consumers and business users. 

According to Eclypsium, “such an attack would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls.” 

Dell SupportAssist, often pre-installed on Windows-based Dell machines, is used to manage support functions including troubleshooting and recovery. The BIOSConnect facility can be used to recover an OS in cases of corruption as well as to update firmware. 

In order to do so, the feature connects to Dell’s cloud infrastructure to pull requested code to a user’s device. 

The researchers discovered four vulnerabilities in this process that would allow “a privileged network attacker to gain arbitrary code execution within the BIOS of vulnerable machines.”

The first issue is that when BIOSConnect attempts to connect to Dell’s backend HTTP server, any valid wildcard certificate is accepted, “allow[ing] an attacker to impersonate Dell and deliver attacker-controlled content back to the victim device.”

Additionally, the team found some HTTPS Boot configurations which use the same underlying verification code, potentially rendering them exploitable. 

Three independent vulnerabilities, described as overflow bugs, were also uncovered by the researchers. Two impacted the OS recovery process, whereas the other was present in the firmware update mechanism. In each case, an attacker could perform arbitrary code execution in BIOS.

However, the technical details of these vulnerabilities will not be disclosed until an upcoming DEFCON presentation in August. 
 
“An attack scenario would require an attacker to be able to redirect the victim’s traffic, such as via a Machine-in-the-Middle (MITM) attack,” the researchers say. “Successfully compromising the BIOS of a device would give an attacker a high degree of control over a device. The attacker could control the process of loading the host operating system and disable protections in order to remain undetected.”

Eclypsium completed its investigation into Dell’s software on March 2 and notified Dell PSIRT a day later, which acknowledged the report. The vendor has since issued a security advisory and has scheduled BIOS/UEFI updates for impacted systems. 

Dell device owners should accept BIOS/UEFI updates as soon as they are available — and patches are due to be released today. The vendor has also provided mitigation options, as detailed in the firm’s advisory. 

“Dell remediated multiple vulnerabilities for Dell BIOSConnect and HTTPS Boot features available with some Dell Client platforms,” Dell told ZDNet. “The features will be automatically updated if customers have Dell auto-updates turned on. We encourage customers to review the Dell Security Advisory (DSA-2021-106) for more information, and if auto-updates are not enabled, follow the remediation steps at their earliest convenience. Thanks to Eclypsium researchers for working directly with us to resolve the issue.”

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/biosconnect-code-execution-bugs-impact-millions-of-dell-devices/#ftag=RSSbaffb68

Continue Reading

ZDNET

One-click account takeover vulnerabilities in Atlassian domains patched

Published

on

Vulnerabilities that could allow XSS, CSRF, and one-click account takeovers in Atlassian subdomains have been patched. 

On Thursday, Check Point Research (CPR) said that the bugs were found in the software solutions provider’s online domains, used by thousands of enterprise clients worldwide. 

The Australian vendor is the provider of tools including Jira, a project management system, and Confluence, a document collaboration platform for remote teams. 

The vulnerabilities in question were found in a number of Atlassian-maintained websites, rather than on-prem or cloud-based Atlassian products. 

Subdomains under atlassian.com, including partners, developer, support, Jira, Confluence, and training.atlassian.com were vulnerable to account takeover. 

CPR explained that exploit code utilizing the vulnerabilities in the subdomains could be deployed through a victim clicking on a malicious link. A payload would then be sent on behalf of the victim and a user session would be stolen. 

The vulnerable domain issues included a poorly-configured Content Security Policy (CSP), parameters vulnerable to XSS, SameSite and HTTPOnly mechanism bypass, and a weak spot that allowed cookie fixation — the option for attackers to force users to use session cookies known to them for authentication purposes. 

The researchers say that it was possible to take over accounts accessible by these subdomains through cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. In addition, the vulnerable domains also allowed threat actors to compromise sessions between the client and web server once a user logged into their account.

“With just one click, an attacker could have used the flaws to take over accounts and control some of Atlassian’s applications, including Jira and Confluence,” the researchers said. 

The ramifications of these attacks included account hijacking, data theft, actions being performed on behalf of a user, and obtaining access to Jira tickets.

Atlassian was informed of the team’s findings on January 8, prior to public disclosure. A fix for the impacted domains was deployed on May 18. 

Atlassian told ZDNet:

“Based on our investigation, the vulnerabilities outlined impact a limited set of Atlassian-owned web applications as well as a third-party training platform. Atlassian has shipped patches to address these issues and none of these vulnerabilities affected Atlassian Cloud (like Jira or Confluence Cloud) or on-premise products (like Jira Server or Confluence Server).”

The research into Atlassian was performed by CPR due to the ongoing issues surrounding supply chain attacks, in which threat actors will target a centralized resource used by other companies. 

If this element can be compromised — such as by tampering with update code due to be pushed out to clients in the case of Codecov — then a wider pool of potential victims can be reached with little effort. 

SolarWinds, too, is a prime example of how devastating a supply chain attack can be. Approximately 18,000 SolarWinds clients received a malicious SolarWinds Orion software update that planted a backdoor into their systems; however, the attackers cherry-picked a handful of victims for further compromise, including Microsoft, FireEye, and a number of federal agencies. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Coinsmart. Beste Bitcoin-Börse in Europa
Source: https://www.zdnet.com/article/one-click-account-takeover-vulnerability-in-atlassian-patched/#ftag=RSSbaffb68

Continue Reading
Esports2 days ago

Dungeons & Dragons: Dark Alliance Voice Actors: Who Voices Utaar?

Blockchain5 days ago

Bitmain Released New Mining Machines For DOGE And LTC

Blockchain2 days ago

Is Margex A Scam?

Esports4 days ago

Genshin Impact Grand Line Conch Locations

Energy3 days ago

Inna Braverman, Founder and CEO of Eco Wave Power Will be Speaking at the 2021 Qatar Economic Forum, Powered by Bloomberg

Esports2 days ago

Valorant Patch 3.00 Agent Tier List

Blockchain2 days ago

Yearn Finance (YFI) and Synthetix (SNX) Technical Analysis: What to Expect?

HRTech2 days ago

TCS bats for satellite offices, more women in the workforce

Esports2 days ago

Is Dungeons and Dragons: Dark Alliance Crossplay?

AI3 days ago

New Modular SaaS Platform for Financial Services Sector Launched by Ezbob, a Customer Acquisition Tech Provider

Aviation3 days ago

SAS Was The First Airline To Operate A Polar Route

Blockchain3 days ago

Cardano, Chainlink, Filecoin Price Analysis: 21 June

Esports2 days ago

Ruined Pantheon Prestige Edition Splash Art, Price, Release, How to Get

Aviation4 days ago

The Antonov An-124 Vs An-225: What Are The Differences?

Blockchain4 days ago

Amplifying Her Voice June 22, 10:45AM to June 24, 4:00PM EST BERMUDA

Esports18 hours ago

Valve releases 2021 Dota 2 Battle Pass, includes Spectre Arcana, Davion Dragon Knight Persona, and Nemestice event

Blockchain4 days ago

Texas supermarket will now accept crypto payments

Blockchain4 hours ago

Digital Assets AG Launching Stock Tokens on Solana

Energy4 days ago

Cresol Market: APAC to Offer Maximum Regional Opportunities for Vendors

Esports4 days ago

Warzone Nail Gun Attachments: Are There Any?

Trending