NASA employee data exposed for at least three weeks due to misconfigured web app

Names and email addresses accidentally made public in the second major security scare in as many months

Space walk

A misconfigured app exposed NASA employees' personal details including their names and email address, as well as details about ongoing projects within the space agency.

Incorrectly-set permissions within Jira, a piece of web-based software used by organisations to monitor workflow and internal issues, exposed a bulk of internal data for at least three weeks last year, according to security researcher Avinash Jain.

Advertisement - Article continues below

These details could have been accessed by anybody over the internet with just the right URL over at-least a three week period and could have aided an attacker in gaining access to the wider application.

Jain claimed a system administrator may have misunderstood the definition of "all users" and "everyone" when assigning permissions to newly-created dashboards within the app, interpreting these terms to mean everyone within the organisation.

Due to these misconfigured global permissions scheme, the data exposed extended to all NASA employees' names and email addresses, their roles as assigned to projects listed on Jira, as well as current NASA projects and upcoming milestones.

Alongside an issue that allowed members of the public to browse a full list of employees, a separate filter misconfiguration exposed how projects and tasks are categorised within NASA, and who oversees them.

Advertisement
Advertisement - Article continues below

"This will likely not be a complete list of users like the browse users function, but can glean useful information about how usernames are formatted," Jain wrote in his report.

Advertisement - Article continues below

"Additionally, it can give an attacker an idea of what kind of information may be housed within the application and what projects team is working upon along with showing features of different projects."

Jain reported the bug to the NASA Security Operations Centre (SOC) and the US-Computer Emergency Readiness Team (US-CERT) on 3 September 2018 and received word the issue had been resolved three weeks later on 25 September.

He then informed both agencies of his intention to disclose the incident publicly a few weeks later on 9 November.

This is the second major security scare NASA has sustained in recent months after malicious actors breached a server in October last year and stole highly sensitive employee information. There are no suggestions these two incidents are connected.

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement

Recommended

Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020
Visit/software/video-conferencing/355257/taiwan-first-country-to-ban-zoom-amid-security-concerns
video conferencing

Taiwan becomes first country to ban Zoom amid security concerns

8 Apr 2020