NASA Jira Server Leaked Internal Project And Employee Data

  • 439
  •  
  •  
  • 4
  •  
  •  
  •  
    443
    Shares

Once again, NASA has made it into the news because of a cyber security issue. This time, the problem accused due to a misconfiguration of the NASA Jira Server which resulted in data leakage. Allegedly, the server leaked sensitive employee data as well as project details. After the researcher reported the bug to NASA, they quickly patched the bug.

NASA Jira Server Leaked Data Due To Misconfiguration

A researcher discovered a problem with NASA Jira server that caused it to leak internal data. Reportedly, the security engineer and bug hunter Avinash Jain spotted the vulnerability in NASA Jira. Precisely, he noticed a misconfiguration in the app that exposed NASA’s data.

As stated in his blog post,

“There are a couple of settings in Jira that, when not configured properly, may disclose information about the application and its users and it can provide unauthorized access to some internal data of the companies to any other user over the internet. This information may aid an attacker in gaining access to the application.”

Describing the details, he stated that he found problems with the NASA server’s permissions. Any anonymous user could access the “user picker functionality” – a feature in Jira that allows extracting usernames and passwords of all users. In addition, NASA Jira app also had misconfigured filter settings that could give an idea about the team’s internal projects to a potential attacker.

“NASA Jira instance also had a misconfiguration related to Filters setting which lists the most popular filters used to categorizes issues and tasks within the application. It also lists the username of the person who ‘owns’ each of these filters.”

NASA Patched The Flaw

Jain allegedly reported the vulnerability to NASA in September 2018. Nonetheless, it took NASA three weeks to fix the problem. Moreover, as the researcher told ZDNet, he received no response from NASA in his emails. Nor did they inform him about the patch for disclosure.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!