Summary by National Aeronautics and Space Administration (NASA) - Vulnerability Disclosure Program
There is no established/validated exploit method
There is no established/validated exploit method
When requesting a password reset on globe.gov, the reset link delivered via email includes sensitive parameters (ticketId and ticketKey) directly inside the URL.
Additionally, the link is wrapped inside a Google redirect (www.google.com/url?q=), causing:
✅ Exposure to a third-party domain (Google)
✅ Logging in browser history, network logs, proxies, referrer headers
✅ Potential retrieval by any script or plugin reading visited URLs