This past Sunday (10), the hacking group CCESS released some unexpected news even by those who follow them closely: they managed to run the classic Doom shooting game, originally released in 1993, on a NASA website.
The feat was made on NASA’s OIG (“Office of Inspector General”), the agency responsible for auditing and improving the economic efficiency of space agency study, observation and space exploration projects. To do so, hackers used a vulnerability discovered in August last year by a researcher named Underground, who found two site-related flaws that allowed a person outside the system to run their own code inside the site, which would allow the inclusion of password theft viruses or crypto-coin mining.
At the time of the discovery, NASA was notified of the flaws and was receptive, but only one of the vulnerabilities was corrected. So, after the six-month period that must be expected before making the fault public, Brazilian hackers decided to take a wave and use that vulnerability to run Doom on the agency’s website.
Thus, between noon and 3:00 p.m. on Tuesday (12), it was possible to access the four phases of Doom from this NASA site, and the problem appeared to have been resolved only at 03:09 p.m.
The CCESS usually tests the digital security of large companies and has already found flaws, for example, on the website of Banco do Brasil. As with NASA, the bank also took more than six months to correct the problem and did so only when the flaw became public.