BugCrowd Bug Bounty Disclosure: P3 – Critical Identity and Communication Data Exposed in Unprotected NASA Hangar Demolition Doc Vulnerability – Black_charon

August 9, 2025
Critical Identity and Communication Data Exposed in Unprotected NASA Hangar Demolition Doc Vulnerability

Critical Identity and Communication Data Exposed in Unprotected NASA Hangar Demolition Doc Vulnerability

Researcher: Black_charon
Engagement: National Aeronautics and Space Administration (NASA) – Vulnerability Disclosure Program
Disclosed at: 2025-08-08T18:47:44Z
Priority: P3
Status: Unresolved

Summary

As an attacker, I was able to access and download an internal NASA document explicitly labeled “For Official Use Only – Not for Public Release” without any authentication or access control, and extract a large volume of personally identifiable information (PII), including full names, email addresses, phone numbers, physical addresses, and agency affiliations of NASA staff and external collaborators. This type of sensitive information enables real-world risks such as targeted phishing, impersonation, and social engineering attacks against government employees, partners, and infrastructure. The presence of internal communications, signatures, and affiliations further amplifies the potential for reputational damage and operational disruption, making this not just a policy violation but a tangible security exposure that should be remediated promptly.

@teapot_bugcrowd Kindly stop copy pasting the same reply for every Submission as N/A.

Activity Feed

Actor Details Timestamp (UTC)
Martin_NASA Martin_NASA published 2025-08-08T18:47:44Z
Martin_NASA Martin_NASA changed the state to to unresolved 2025-08-08T18:47:16Z
Parker_Bugcrowd Parker_Bugcrowd changed the state to to triaged 2025-08-08T15:40:25Z
Parker_Bugcrowd Parker_Bugcrowd changed the severity to 2025-08-08T15:40:24Z
Parker_Bugcrowd Parker_Bugcrowd sent a: message 2025-08-08T15:40:21Z
Parker_Bugcrowd Parker_Bugcrowd resolved a blocker for 2025-08-08T15:40:05Z
Velvet Velvet created a blocker on 2025-08-07T14:22:17Z
Black_charon Black_charon requested 2025-07-28T09:07:20Z
Black_charon Black_charon sent a: message 2025-07-28T09:03:31Z
teapot_bugcrowd teapot_bugcrowd sent a: message 2025-07-28T08:01:37Z
teapot_bugcrowd teapot_bugcrowd changed the state to to not_applicable 2025-07-28T08:01:35Z
Black_charon Black_charon created the submission 2025-07-26T07:05:22Z

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

To keep up to date follow us on the below channels.

Tags: , ,

You may have missed

image

CVE Alert: CVE-2025-20334 – Cisco – Cisco IOS XE Software

September 25, 2025
hkcert

Cisco Products Multiple Vulnerabilities

September 25, 2025
HIBP-Banner-1

Bouygues Telecom – 5,685,771 breached accounts

September 25, 2025
Cobalt-Strike

Cobalt Strike Beacon Detected – 8[.]218[.]112[.]112:8081

September 25, 2025
Cobalt-Strike

Cobalt Strike Beacon Detected – 179[.]43[.]139[.]125:443

September 25, 2025