German hacker D35m0nd142 has identified a couple of vulnerabilities on the website of NASA’s Goddard Space Flight Center (GSFC) that could have been leveraged by cybercriminals to cause some serious damage. Fortunately, the agency rushed to address the issues after being notified by the hacker.
D35m0nd142 has discovered a Blind SQL Injection vulnerability and a web application firewall (WAF) bypass flaw.
As demonstrated by the hacker, the SQL Injection bug could have been successfully exploited by a remote attacker to gain access to the site’s databases, including the ones containing user details.
The WAF bypass flaw could have been leveraged to bypass the firewalls set up to protect the website.
“I haven't done and I will not do any type of damage. This attack hasn't any malicious purpose. I've just listed some tables and most important columns of this database in order to demonstrate the big and dangerous vulnerability, not for fun,” the hacker said.
“As anyone can see, there are a lot of interesting and sensible informations that could have been taken and exploited by malicious attackers and, for this reason, this bug needs to be repaired as soon as possible.”
The hacker has told Softpedia that NASA hasn’t replied to his reports, but it has silently fixed the vulnerabilities.
To demonstrate the risks posed by the flaws he identified, the expert published a number of screenshots, along with the names of databases and tables that could have been accessed by an attacker exploiting them.
The large number of security breaches that has occurred over the past period has made NASA take some measures to protect the personal details of its employees. However, the process is not going too well.
Besides protecting their websites, they’re also determined to make sure that all agency-issued devices are fully encrypted to secure the information stored on them in case they get lost or stolen.
After the latest incident, which exposed the details of over 10,000 staffers, NASA attempted to roll out whole-disk encryption by December 21, but the process – initiated in 2010 – has been once again delayed.