Summary by c3L0Mu1d3R
A public API endpoint on the NASA NLSP domain discloses internal user identifiers, usernames, and detailed role/group assignments without requiring authentication.
The endpoint appears to be used by the LSDA/NLSP web interface to determine user context, but it returns verbose metadata including internal account identifiers, NASA staff usernames, access control lists, and internal role mappings.
Impact
This exposure reveals internal organizational and identity information, which can be abused for reconnaissance or social engineering purposes.
Specifically, attackers could:
Identify valid internal usernames for use in phishing or brute-force attacks;
Understand the structure of NASA’s Insight platform (roles, groups, and ACLs);
Map internal application data models and backend structure for future exploitation.