BugCrowd Bug Bounty Disclosure: P3 – Unauthorized Disclosure of PII via Internal NASA Doc Vulnerability – Black_charon

August 19, 2025
Unauthorized Disclosure of PII via Internal NASA Doc Vulnerability

Unauthorized Disclosure of PII via Internal NASA Doc Vulnerability

Researcher: Black_charon
Engagement: National Aeronautics and Space Administration (NASA) – Vulnerability Disclosure Program
Disclosed at: 2025-08-15T14:44:22Z
Priority: P3
Status: Unresolved

Summary

As an attacker, I was able to access and download an internal NASA document explicitly labeled “For Official Use Only – Not for Public Release” without any authentication or access control, and extract a large volume of personally identifiable information (PII), including full names, email addresses, phone numbers, physical addresses, and agency affiliations of NASA staff and external collaborators. This type of sensitive information enables real-world risks such as targeted phishing, impersonation, and social engineering attacks against government employees, partners, and infrastructure. The presence of internal communications, signatures, and affiliations further amplifies the potential for reputational damage and operational disruption, making this not just a policy violation but a tangible security exposure that should be remediated promptly.

@teapot_bugcrowd Kindly stop copy pasting the same reply for every Submission as N/A.

Activity Feed

Actor Details Timestamp (UTC)
Martin_NASA Martin_NASA changed the state to to unresolved 2025-08-18T15:17:02Z
Parker_Bugcrowd Parker_Bugcrowd changed the state to to triaged 2025-08-18T15:13:57Z
Parker_Bugcrowd Parker_Bugcrowd changed the severity to 2025-08-18T15:13:55Z
Parker_Bugcrowd Parker_Bugcrowd sent a: message 2025-08-18T15:13:46Z
Parker_Bugcrowd Parker_Bugcrowd resolved a blocker for 2025-08-18T15:13:18Z
Martin_NASA Martin_NASA published 2025-08-15T14:44:22Z
Ron_Rose Ron_Rose created a blocker on 2025-08-15T14:09:40Z
Black_charon Black_charon requested 2025-07-28T09:06:53Z
Black_charon Black_charon sent a: message 2025-07-28T09:02:42Z
teapot_bugcrowd teapot_bugcrowd sent a: message 2025-07-28T08:02:10Z
teapot_bugcrowd teapot_bugcrowd changed the state to to not_applicable 2025-07-28T08:02:09Z
Black_charon Black_charon created the submission 2025-07-26T06:02:59Z

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

To keep up to date follow us on the below channels.

Tags: , ,

You may have missed

image

[QILIN] – Ransomware Victim: Uganda Electricity Transmission Company Limited

August 19, 2025
image

[WARLOCK] – Ransomware Victim: infoniqa[.]com

August 19, 2025
image

[QILIN] – Ransomware Victim: apderm[.]com

August 19, 2025
317ab39a070e033df6eec5c85891ccae5bd01da0ec2f1f992a5dfabca3dab534

A Linux Alternative? Debian/hurd Shows Microkernel Unix Dream Is Alive

August 19, 2025
0ce27e2bc45aee854038648777e28924e08403a2971adf9e8500fadbbdcb7e31

From Paye To P45: Hmrc Staff Fired For Prying Into Taxpayer Data

August 19, 2025