NASA has a lot of subdomains and they're full of security holes

Feb 13, 2012 07:53 GMT  ·  By

Members of two hacker collectives, Team r00tw0rm and Team inj3ct0r, identified an SQL injection vulnerability on one of the subdomains owned by NASA and hosted on the domain nasa.gov. By leveraging the security hole, the hackers obtained a 6 gigabyte database, but refused to disclose the name of the flawed subdomain to give the agency time to patch it up.

A sample of the database reveals information such as usernames, email addresses, names, IDs, login dates, passwords, and other data.

“Complete Database is in GB's, well we aren't leaking it. We may keep all parts in our private home! Yet only little bit dump or few columns data is released just to inform NASA that being National Aeronautics and Space Administration you must also keep your servers up to date!” the hackers said.

They claim they informed NASA a few days ago, but since the organization failed to respond, they leaked part of the database to attract the agency’s attention.

NASA domains and subdomains have been found to be vulnerable on numerous occasions in the past several days. Members of TeamHav0k also found a subdomain that can easily be exploited by hackers.

They identified a cross-site scripting (XSS) vulnerability and made a screenshot to prove their findings.

“Well here’s another XSS in NASA.... I was surprised at how easy it was just a simple check of the src of the page they only filtered out stuff like < / > and i think the = as well,” a TeamHav0k representative said.

Last week the Kennedy Space Center was found to contain a similar weakness, but after being contacted, the site's administrators promised to look into it.

A few years ago the veterans of the hacking scene proved their skills by hacking into NASA. Now, the organization has so many sites and they’re so full of security holes that it’s hard for even a novice hacker to resist the temptation.