wordpress blog stats
Connect with us

Hi, what are you looking for?

Vulnerability in NASA’s Jira setting exposed details of a thousand users

Sensitive information such as internal user details, project details, employee names and mail IDs, was exposed through Jira, a web app that companies use for tracking tasks and issues, at the National Aeronautics and Space Administration aka NASA.

NCR based security researcher Avinash Jain, who shared the findings with MediaNama, found the vulnerability and reported it to NASA and the US Cert team on 3 September 2018. Jain said that the details of a thousand users were disclosed due to the vulnerability, which was quietly fixed three weeks after it was reported, on 25 September 2018.

However, the period for which the vulnerability existed (before Jain found it) is unclear.

Avinash Jain, Cybersecurity researcher who reported the bug

Explaining the issue, Jain said that there was an authorisation related misconfiguration in NASA’s Jira, which led to the disclosure of information. “In Jira, creating filters or dashboards provides some visibility option to set on them. The issue was due to the wrong permission assigned to them,” said Jain. He further explained:

“When the filters or dashboards set the visibility to ‘All users’ and ‘everyone’ respectively,” instead of sharing the information with everyone from the organisation, the filter shares the information with everyone publicly.

In a report with his findings, Jain lists various other sections of Jira that had exposed user information and their task related information to other internet users.

In his report, Jain said that this can give an attacker an idea about the kind of information housed within the application along with the details of the projects.

Advertisement. Scroll to continue reading.

Picture credits: Avinash Jain

Picture credits: Avinash Jain

Picture credits: Avinash Jain

While CERT responded to Jain on 17 October, weeks after the bug was fixed, Jain said that he never heard from NASA despite writing to them 5 times. He was never personally notified when the bug was fixed, he said. The CERT team told him that it did not have a reward process for bug-finders. Jain laments that CERT and NASA don’t seem to have a dedicated, responsible team which appreciates ethical efforts, which leads to breaches by black hat hackers.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.

News

In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...

News

By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

News

By Stella Joseph, Prakhil Mishra, and Yash Desai The Government of India circulated proposed amendments to the Consumer Protection (E-Commerce) Rules, 2020 (“E-Commerce Rules”) which...

News

By Rahul Rai and Shruti Aji Murali A little less than a year since their release, the Consumer Protection (E-commerce) Rules, 2020 is being amended....

You May Also Like

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ