NASA employee data left exposed due to misconfigured app

A misconfigured app has exposed NASA employees’ personal details including their names and email address, as well as details about ongoing projects, according to a security researcher. The data was exposed for three weeks in 2018 after an administrator  set permissions in Jira incorrectly. A filter misconfiguration was also found exposing how NASA tasks and categorises projects and who oversees them.  

According to security researcher Avinash Jain, a system administrator may have misunderstood the definition of “all users” and “everyone” when assigning permissions to newly-created dashboards within the app, interpreting these terms to mean everyone within the organisation. Jain added that such access can “give an attacker an idea of what kind of information may be housed within the application and what projects team is working upon along with showing features of different projects.” 

He reportedly notified the NASA Security Operations Centre and US-CERT on 3rd September 2018, and was informed the issue had been resolved three weeks later, on 25th September.  

Many cloud services are intentionally designed to promote collaboration and data sharing, however accidental data breaches can occur when organisations using cloud services fail to apply the security settings needed to keep information private.   

Under old models of information security, making some data available to ‘everyone’ meant ‘everyone within the organisation, but no-one else’. In the cloud it can mean that same thing, or by design it can mean that ‘everyone on the Internet can see it’.