Sensitive information such as internal user details, project details, employee names and mail IDs, was exposed through Jira, a web app that companies use for tracking tasks and issues, at the National Aeronautics and Space Administration aka NASA. NCR based security researcher Avinash Jain, who shared the findings with MediaNama, found the vulnerability and reported it to NASA and the US Cert team on 3 September 2018. Jain said that the details of a thousand users were disclosed due to the vulnerability, which was quietly fixed three weeks after it was reported, on 25 September 2018. However, the period for which the vulnerability existed (before Jain found it) is unclear. [caption id="attachment_195365" align="aligncenter" width="250"] Avinash Jain, Cybersecurity researcher who reported the bug[/caption] Explaining the issue, Jain said that there was an authorisation related misconfiguration in NASA's Jira, which led to the disclosure of information. "In Jira, creating filters or dashboards provides some visibility option to set on them. The issue was due to the wrong permission assigned to them," said Jain. He further explained: "When the filters or dashboards set the visibility to 'All users' and 'everyone' respectively," instead of sharing the information with everyone from the organisation, the filter shares the information with everyone publicly. In a report with his findings, Jain lists various other sections of Jira that had exposed user information and their task related information to other internet users. In his report, Jain said that this can give an attacker an idea about the kind of information housed…
