- A NASA web app leaked personal employee information like contact details and project names.
- The web app was using Jira, and the leak occurred due to unsecured visibility settings.
- The data was visible to all Jira users for at least three weeks.
Bug hunter Avinash Jain published a report that detailed a recent data leak suffered by NASA. The aeronautics and aerospace research organization was using Jira which is a proprietary issue tracking product developed by Atlassian that allows bug tracking and is used for project management. Due to an unsecured setting on the project management, private employee data like names, contact information and project names were visible to all Jira users.
The NASA data leak did not involve any security breaches, but a common misconception people have when using the Jira web apps. The “Everyone” setting listed when selecting user access rights allows all of the app’s users access to the project tracker’s data and not just the members of a project.
Fortunately for NASA, no sensitive information was visible. However, the report points out “NASA Jira instance also had a misconfiguration related to Filters setting which lists the most popular filters used to categorizes issues and tasks within the application. It also lists the username of the person who ‘owns’ each of these filters. This will likely not be a complete list of users like the browse users function, but can glean useful information about how usernames are formatted.”
NASA also does not seem to have a team that is dedicated to disclosing such leaks. Even though the researcher reached out the organization, he did not receive any replies. He revealed that he has reported similar incidents in the past and was met with the same kind of reaction. This is the second time the organization ran into a data leak within the past few months with employees’ social security numbers and other private data being stolen in October. Similar incidents occurred in 2011 and 2016 as well.