If you’ve heard of the app JIRA, you probably know it’s a pretty handy tool that helps companies keep track of the work their employees are doing. It helps administrators organize task and manage how individual projects are progressing. It looks like one of NASA’s admins made a mistake on JIRA that caused a data leak that lasted for more than 3 weeks.
NASA’s JIRA Leak – Human Error Exposes Data To the Public
NASA’s JIRA Leak – The Full Story
Anyone who’s familiar with JIRA knows that admins have control over the app’s visibility. The thing is, JIRA has a slightly confusing categorization when it comes to visibility. Admins usually have to specify which user can access which data, but JIRA’s choice of visibility terms is a little confusing.
If an admin accidentally selects the term “Everyone” instead of the term “All users”, they end up exposing the data to everyone on the internet. “All users” means that all of the company’s users get access, but “Everyone” literally means everyone.
It looks like that’s what one of NASA’s admins ended up doing. This mix-up in terminology ended up exposing data that included employee emails and project names. Bug hunter Avinash Jain found the leak and reached out to NASA and US-CERT, letting them know that the data is public. He contacted NASA on September 3rd, 2018 but noticed that the leak wasn’t fixed until the 25th of September. In other words, the data was public for a whole 3 weeks.
Jain made it clear
that the following information was at risk:
- All employee names and emails.
- Their roles within the company (which can be seen via JIRA groups).
- Ongoing projects and “upcoming milestones”.
This isn’t looking great for NASA, especially since it suffered a security breach less than a month ago that ended up exposing the social security numbers of many previous and current employees.
Perhaps the biggest shock, though, is that NASA took 3 weeks to do anything about this leak. That’s not even mentioning the fact that it failed to respond to Jain at all. That’s right, NASA didn’t even say thank you.
NASA’s JIRA Leak – Final Thoughts
There isn’t much to discuss here, other than the fact that NASA’s reaction is very disappointing. Ignoring the fact that it took them 3 weeks to change the visibility settings on the app, NASA’s radio silence isn’t something one wouldn’t expect. This data leak isn’t due to external factors, so I don’t see why NASA hasn’t commented on it yet.
If you are a JIRA administrator, don’t be like NASA. Make sure you understand the app’s configurations and settings to stay on top of your company’s privacy at all times.