HOW I FOUND A BUG IN NASA

Hello, everyone!
I hope you’re doing great. Today, I’m excited to share an incredible story about my recent experience hunting bugs in NASA’s systems. I found four vulnerabilities that were accepted! 🎉 But here’s the twist — their severity levels were downgraded from P3-P4 to P5 (informational), which was a bit disappointing. Regardless, I learned a lot, and I hope you do too from this writeup! If you enjoy it, don’t forget to follow me for more content like this. 🙌

Every bug hunt begins with recon and enumeration, where I searched for parameters using fuzzing tools and performed port scans. Once I completed this phase, I transitioned to the actual hunting phase.

During this, I had an idea to check for a vulnerability related to EXIF metadata not being stripped.

If you’re not familiar with EXIF metadata, let me explain:
When you buy a new phone or reset it to factory settings, the first time you take a picture, it asks for permissions like location or storage. That’s because images and videos store EXIF metadata, which includes:

Location (GPS coordinates)Software nameDate and time of creationCamera detailsAnd much more!

In secure applications, when someone uploads an image, the EXIF metadata is usually removed (stripped) to prevent sensitive data from being leaked. But if it’s not stripped, it can expose personal or confidential information.

I started analyzing images uploaded to NASA’s systems. To do this, I used a tool called Exif Tool, which allows you to inspect the metadata of image files. After an hour of searching, I discovered an image uploaded through WordPress content that had EXIF metadata fully intact.

Here’s what the metadata revealed:

Date the photo was createdLocation (GPS coordinates)Name and telephone number of the creatorGeolocation details like cityDocument IDSoftware used

And much more sensitive information that could potentially violate user privacy!

I reported the vulnerability, feeling thrilled because this issue highlighted a serious flaw — sensitive metadata wasn’t being stripped. This could lead to:

Privacy violationsLeakage of user informationNon-compliance with security best practices

NASA accepted the report, which was amazing 🚀! However, they categorized it as a P5 (informational) bug instead of a higher severity level like P3 or P4. According to Bug crowd’s VRT (Vulnerability Rating Taxonomy), this type of vulnerability usually falls into the P3-P4 category.

While I was slightly disappointed with the categorization, the experience taught me valuable lessons. I hope this story inspires you to dig deeper into your bug hunting journey and look for creative angles like this one.

If you found this helpful, please follow me for more stories and writeups about different vulnerabilities. Let’s learn and grow together as ethical hackers! 💻✨