"Over 100,000 UN Employee Records Accessed by Researchers"
Security researchers at Sakura Samuria have revealed that it took them just hours to access over 100,000 personal records and credentials belonging to United Nations Employees. The researchers were looking for bugs to report to the UN under its vulnerability disclosure program. The researchers initially found an exposed subdomain for the UN body, the International Labour Organization (ILO). This gave them access to Git credentials, which they used to take over a legacy MySQL database and a survey management platform. Exfiltration of these credentials was done with the git-dumper tool. These assets contained hardly anything of use, the researchers stated. The researchers also discovered an exposed subdomain related to the United Nations Environment Programme (UNEP), a much bigger privacy risk. This domain was also leaking Git credentials. Once the researchers discovered the GitHub credentials, they were able to download many private password-protected GitHub projects, and within the projects, they found multiple sets of database and application credentials for the UNEP production environment. In total, the team discovered over 100,000 employee records, including names, ID numbers, gender, pay grade, records of travel details, work sub-areas and departments, evaluation reports, and funding source records.
Infosecurity reports: "Over 100,000 UN Employee Records Accessed by Researchers"