Ethical hackers have discovered a security vulnerability at the United Nations, giving them access to more than 100,000 private employee records.
The breach stems from exposed Git directories and credential files on domains associated with the UNEP (United Nations Environmental Programme) and the ILO (International Labour Organization).
The research group Sakura Samurai made the discovery, after its members came across the UN’s Vulnerability Disclosure Program and Hall of Fame.
The group contacted the UN upon discovering the vulnerability, and the organisation has subsequently fixed the issue.
However, it’s unknown whether malicious actors had been able to access the information before the discovery and warning.
What data was affected?
Among the compromised information were WordPress configuration files that exposed the administrator’s database credentials.
Several PHP files were also exposed that contained plaintext database credentials that are associated with outer online systems of both the UNEP and ILO.
The researchers also accessed Git credentials files that gave them access to UNEP’s source code base.
In all, this gave the team access to a wealth of information on UN staff, including their ID, names, employee group, and work-based travel details such as destinations, dates of journeys, justification for the travel and approval status.
The researchers also accessed the nationality, gender and pay grade of thousands of employees, as well as project funding source records, employee records and employment evaluation reports.