An internal NASA app leaked employee emails and project names


A NASA web application leaked information such as user names, names, e-mail addresses, and project names of employees. ZDNet learned today about bug hunter Avinash Jain.

This exhibition came from one of NASA's Jira facilities, a web application that most companies use to track projects or internal problems.

In a report detailing his findings published today and shared with ZDNetJain said the cause of the leak was Jira's visibility controls, which a NASA system administrator seems to have mixed up.

The problem is well known and is related to the use by Jira of the terms "Everyone" and "All Users" for the selection of user access rights. In the past, many Jira administrators have confused the two terms by accidentally selecting "Everyone" when defining the visibility of different sections of Jira. The "Everyone" permission allows anyone on the Internet to access project tracking data, and not all members of an organization, as some Jira administrators might believe.

This is what seems to have happened with this particular installation of NASA Jira. Jain says that various sections of this application have been exposed online and accessible to all.

Although the exposed data does not contain highly detailed personally identifiable information (PII), an attacker could have used the disclosed data to refine the targeting of spear-phishing emails, to target employees working on sensitive projects. usurping colleagues' emails.

NASA leaks data via the Jira server
Image: Avinash Jain

Jain said he notified the leak to NASA and the US-CERT on September 3rd. However, Jira's leaked case was only repaired on September 25, more than three weeks later.

"They do not seem to have a dedicated team working on responsible disclosure," Jain said. ZDNet aujourd & # 39; hui. The researcher stated that NASA had never replied to his emails, that she had not reported it when they were repairing the leaked server, and that he did not bother to thank him for his report. although he received a thank you from the US-CERT team.

This was the first time Jain reported a security problem at NASA, but the agency's silence was not a surprise to other researchers who recounted similar experiences with a dead wall at the time of the disclosure. security issues at NASA. ZDNet includes.

This is not a good sign for the agency that, less than a month ago, informed employees of a major security breach during which intruders had stolen personal data of past and current employees.

A spokesman for NASA was not available to comment. However, the two security incidents do not seem related.

The violation that NASA informed employees last month also revealed social security numbers. This type of information was not available on the Jira server discovered by Jain, which was only a simple bug tracking tool for other applications and projects from the NASA.

More data breach coverage: