A misconfigured app exposed NASA employees' personal details including their names and email address, as well as details about ongoing projects within the space agency.
Incorrectly-set permissions within Jira, a piece of web-based software used by organisations to monitor workflow and internal issues, exposed a bulk of internal data for at least three weeks last year, according to security researcher Avinash Jain.
These details could have been accessed by anybody over the internet with just the right URL over at-least a three week period and could have aided an attacker in gaining access to the wider application.
Jain claimed a system administrator may have misunderstood the definition of "all users" and "everyone" when assigning permissions to newly-created dashboards within the app, interpreting these terms to mean everyone within the organisation.
Due to these misconfigured global permissions scheme, the data exposed extended to all NASA employees' names and email addresses, their roles as assigned to projects listed on Jira, as well as current NASA projects and upcoming milestones.
Alongside an issue that allowed members of the public to browse a full list of employees, a separate filter misconfiguration exposed how projects and tasks are categorised within NASA, and who oversees them.
"This will likely not be a complete list of users like the browse users function, but can glean useful information about how usernames are formatted," Jain wrote in his report.
"Additionally, it can give an attacker an idea of what kind of information may be housed within the application and what projects team is working upon along with showing features of different projects."
Jain reported the bug to the NASA Security Operations Centre (SOC) and the US-Computer Emergency Readiness Team (US-CERT) on 3 September 2018 and received word the issue had been resolved three weeks later on 25 September.
He then informed both agencies of his intention to disclose the incident publicly a few weeks later on 9 November.
This is the second major security scare NASA has sustained in recent months after malicious actors breached a server in October last year and stole highly sensitive employee information. There are no suggestions these two incidents are connected.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Should your business start a bug bounty program?In-depth Big tech firms including Google, Apple and Microsoft offer bug bounty programs, but can they benefit smaller businesses too?
-
PyPI attack: Targeting of repository 'shows no sign of stopping'News Greater collaboration and understanding of attackers’ tactics is key to mitigating open source security threats
-
The rise of identity-based cyber attacks and how to mitigate themIn-depth If identity-based cyber attacks are successful, they can give hackers the opportunity to infiltrate an entire network
-
Capita's handling of cyber attack shows companies still fail at breach reportingAnalysis Capita initially told customers there was “no evidence” of data having been compromised in the March cyber attack
-
Malware being pushed to businesses by search engines remains a pervasive threatNews High-profile malvertising campaigns in recent months have surged
-
There's only one way to avoid credential stuffing attacksOpinion PayPal accounts were breached last year due to a credential stuffing attack, but can PayPal avoid taking responsibility?
-
Five things to consider before choosing an MFA solutionIn-depth Because we all should move on from using “password” as a password
-
2022 Public Sector Identity Index ReportWhitepaper UK Report
