Summary by AKHIL_C_D
As an attacker, I was able to access and download an internal NASA document explicitly labeled “For Official Use Only – Not for Public Release” without any authentication or access control, and extract a large volume of personally identifiable information (PII), including full names, email addresses, phone numbers, physical addresses, and agency affiliations of NASA staff and external collaborators. This type of sensitive information enables real-world risks such as targeted phishing, impersonation, and social engineering attacks against government employees, partners, and infrastructure. The presence of internal communications, signatures, and affiliations further amplifies the potential for reputational damage and operational disruption, making this not just a policy violation but a tangible security exposure that should be remediated promptly.
@teapot_bugcrowd Kindly stop copy pasting the same reply for every Submission as N/A.