A NASA web app leaked details such as employee usernames, names, email addresses, and project names, ZDNet has learned today from bug hunter Avinash Jain.
The exposure originated from one of NASA’s Jira installations, a web app that most companies use for tracking projects or internal bugs and issues.
In a report detailing his finding published today and shared with ZDNet, Jain said the reason for the leak was Jira’s visibility controls, which a NASA system admin appears to have mixed up.
The issue is a well-known one and is related to Jira’s usage of the terms “Everyone” and “All users” for selecting user access rights. In the past, there have been many Jira admins who have mixed up the two terms by accidentally selecting “Everyone” when setting the visibility of various Jira sections. The “Everyone” permission grants access to anyone on the internet to the project tracker’s data, and not everyone in an organization, as some Jira admins might believe.
This is what appears to have happened with this particular NASA Jira installation as well. Jain says that various sections of this app were exposed online and accessible to anyone.
While the exposed data does not include highly-detailed personally-identifiable information (PII), an attacker could have used the leaked data to refine the targeting of spear-phishing emails, to targetgo after employees working on sensitive projects by spoofing the emails of known colleagues.
Jain says he notified NASA and US-CERT of the leak on September 3, however, the leaky Jira instance was only fixed on September 25, more than three weeks later.
“They don’t seem to have a dedicated team working on responsible disclosure,” Jain told ZDNet today. The researcher says that NASA never replied to his emails, they didn’t notify him when they fixed the leaky server, nor did they bother to thank him for his report, although he did get a thank you from the US-CERT team.
This was Jain’s first time reporting a security issue to NASA, but the agency’s silence was not a surprise to other researchers who reported similar dead-wall experiences when disclosing security issues to NASA, ZDNet understands.
This doesn’t bode well for the agency, which less than a month ago notified employees of a major security breach during which intruders made off with the personal data of past and current employees.
A NASA spokesperson was not available for comment. However, the two security incidents don’t appear to be related.
The breach that NASA informed employees about last month also exposed Social Security numbers. This type of information wasn’t available on the Jira server that Jain discovered, which was a mere bug tracker for other NASA apps and projects.