Once again, NASA has made it into the news because of a cyber security issue. This time, the problem accused due to a misconfiguration of the NASA Jira Server which resulted in data leakage. Allegedly, the server leaked sensitive employee data as well as project details. After the researcher reported the bug to NASA, they quickly patched the bug.
NASA Jira Server Leaked Data Due To Misconfiguration
A researcher discovered a problem with NASA Jira server that caused it to leak internal data. Reportedly, the security engineer and bug hunter Avinash Jain spotted the vulnerability in NASA Jira. Precisely, he noticed a misconfiguration in the app that exposed NASA’s data.
As stated in his blog post,
“There are a couple of settings in Jira that, when not configured properly, may disclose information about the application and its users and it can provide unauthorized access to some internal data of the companies to any other user over the internet. This information may aid an attacker in gaining access to the application.”
Describing the details, he stated that he found problems with the NASA server’s permissions. Any anonymous user could access the “user picker functionality” – a feature in Jira that allows extracting usernames and passwords of all users. In addition, NASA Jira app also had misconfigured filter settings that could give an idea about the team’s internal projects to a potential attacker.
“NASA Jira instance also had a misconfiguration related to Filters setting which lists the most popular filters used to categorizes issues and tasks within the application. It also lists the username of the person who ‘owns’ each of these filters.”
NASA Patched The Flaw
Jain allegedly reported the vulnerability to NASA in September 2018. Nonetheless, it took NASA three weeks to fix the problem. Moreover, as the researcher told ZDNet, he received no response from NASA in his emails. Nor did they inform him about the patch for disclosure.