Users occasionally able to mention users outside the workspace on a private repository
Incident Report for Atlassian Bitbucket

On May 28, 2021, the Bitbucket Cloud support team were made aware of an intermittent issue wherein users collaborating on private repositories were able to mention users from other workspaces on pull request comments.

The functionality supporting user mentions is fairly complex in order to adhere to Atlassian's rigorous Privacy Policy. When a Bitbucket user wants to mention another Bitbucket user, a request is made to a user search platform service responsible for providing a list of users who are authorized to view the resource being commented upon. (For pull request comments, this resource is the underlying repository.) This architecture protects users' privacy by centralizing the enforcement of policies such as how users can be queried from within Atlassian products and what their public display names are.

During our investigation of this issue, Atlassian engineers were able to identify the root cause as a minor bug that would sometimes cause the requests made to the user search service to not specify that results should be filtered to exclude users without access to the repository. This would previously result in an error from the user search service; but a recently deployed change modified this behavior to treat these requests as unscoped requests and search all users. This is equivalent to what happens when you start to mention another user in a pull request comment for a public repository.

It is important to note that this bug, while understandably surprising, did not result in any unauthorized access to sensitive data. For users whose names appeared in mention lists, the only data that was shown was data that those users had already opted to be public as part of their Atlassian account profile. For users trying to mention other users, no unauthorized access was granted to their private repositories; i.e. mentioning an unauthorized user on a private repo does not grant them access nor does it send them any notifications.

We will be addressing the bug resulting the unscoped requests as soon as possible. In the meantime, the user search service change has been rolled back, which should eliminate any further confusion or inconvenience caused by this issue until the root cause is resolved.

Posted May 28, 2021 - 21:12 UTC

We received reports today that users were sometimes able to mention other users on pull request comments from outside the workspaces of private repositories. This issue has already been resolved, but we are creating this incident for transparency with the intention of providing a more detailed description of what went wrong and how we resolved the issue in the postmortem for this incident.

The good news is that we have determined this issue did not result in any unauthorized access to sensitive data. This will be explained in greater detail in the postmortem momentarily.
Posted May 28, 2021 - 18:00 UTC