The United Nations vulnerabilities dissemination program has allowed us to discover that, in a matter of hours, it was possible to access the private data of more than 100.000 employee of the international organism.The head of the finding has been the ethical and cybersecurity group Sakura Samurai.
Jackson Henry, Nick Sahler, John Jackson and Aubrey Cottle, the members of this group, tried to seek vulnerabilities exploring multiple endpoints until they found a vulnerable one.One that exposed git credentials.
Looking for vulnerabilities to fix them
What they first found was an exposed subdomain of the International Labor Organization, the United Nations Agency specialized in matters related to work and labor relations.From there, they were able to access the git credentials that allowed them to obtain, via exfiltration by git-dumper, an MySQL database and a survey management platform.
Pulling the thread, and after verifying that the above contained practically anything useful, they finally found a subdomain of the United Nations Environment Program.
After treating all the information, they identified more than 100.000 registros privados de empleadosEn GenbetaEstos investigadores dicen haber encontrado la mejor forma de crear contraseñas seguras gracias a la ciencia"Ultimately, once we discovered the Github credentials, we were able to download a lot of private giving projects protected by password and within the projects we find multiple sets of credentials of databases and applications for the PNUMA production environment,"Jackson explains on a website.
The credentials gave them the possibility to download the git repositories, "identifying a ton of user and pii records".
After treating all the information, they identified more than 100.000 private employee records with information such as names, identification numbers, gender or detailed travel records.They also saw that it was possible to access multiple databases without authorization.At this point, they notified the vulnerability to the United Nations.According to Hack News, it has already been paveled.