Two months ago, NASA quietly fixed a buggy internal server that was leaking sensitive information about the agency’s staff and their work.
The leaking server was — ironically — a bug reporting server, running the popular Jira bug triaging and tracking software. In NASA’s case, the software wasn’t properly configured, allowing anyone to access the server without a password, Avinash Jain, an India-based security researcher who found the exposed server, told TechCrunch.
According to Jain’s writeup, some Jira instances can be misconfigured to allow “everyone” access without a password — including anyone on the internet — and not “everyone” within an organization, as some believe.