Another NASA subdomain proves to be highly vulnerable

Feb 4, 2012 09:37 GMT  ·  By

After being silent for more than a week, members of TeamHav0k came forward with another cross-site scripting (XSS) vulnerability found in a high-profile website. This time it’s the site of the National Aeronautics and Space Administration (NASA), more precisely the subdomain dedicated to the Kennedy Space Center.

The hackers released a Pastebin file with a proof-of-concept to reveal that one of the pages can be easily used by cybercriminals to execute arbitrary code within the webpage.

By relying on social engineering techniques, a hacker could cause a lot of damage by leveraging these types of flaws.

TeamHav0k accustomed us with finding XSS flaws in major websites. The last time they revealed security holes in US government sites, but also in some commercial domains such as the ones that belong to IGN, ImageShack, Verizon, New York Times and University of Virginia.

We've contacted NASA to inform them of the vulnerability and hopefully they'll let us know when it's patched up.

Update. John F. Kennedy Space Center responded to our inquiry stating that their IT Security office is currently investigating the issue.