Researchers gained access to the Git Repositories belonging to the United Nations, exposing staff records and credentials.
Security researchers revealed that they have managed to access more than 100,000 personal records and credentials belonging to United Nations employees within just a few hours.
Ethical hacking and security research group Sakura Samurai had decided to look for bugs to report to the UN under its vulnerability disclosure program.
They have responsibly disclosed the security vulnerability that let them access over 100,000 private employee records of United Nations Environmental Programme (UNEP).
The data breach stemmed from exposed Git directories and credentials, which allowed the researchers to clone Git repositories and collect a large amount of personally identifiable information (PII) associated with over 100k employees.
The researchers Jackson Henry, Nick Sahler, John Jackson, and Aubrey Cottle of Sakura Samurai who have disclosed the vulnerability came across exposed Git directories (.git) and Git credential files (.git-credentials) on domains associated with the UNEP and United Nation’s International Labour Organization (ILO).
The researchers were able to dump the contents of these Git files and clone entire repositories from the *.ilo.org and *.unep.org domains using git-dumper.
The .git directory contents comprised sensitive files, such as WordPress configuration files (wp-config.php) exposing the administrator’s database credentials.
The different PHP files exposed as a part of this data breach contained plaintext database credentials associated with other online systems of the UNEP and UN ILO.
Besides the publicly accessible .git-credentials files helped the researchers to get UNEP’s source code base.
Using these credentials, researchers were able to exfiltrate the private information of over 100,000 employees from multiple UN systems.
The data collected by the group exposed travel history of UN staff, containing details such as: Employee ID, Names, Employee Groups, Travel Justification, Start and End Dates, Approval Status, Destination, and the Length of Stay.
Similarly, other UN databases accessed by the researchers as a part of their analysis exposed HR demographic data (nationality, gender, pay grade) on thousands of employees, project funding source records, generalized employee records, and employment evaluation reports.
The researchers obtained all of this data within less than 24 full hours. They stated that they have found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases.
The researchers reported the vulnerability to UN privately on January 4th, 2021 to which the UN Office of Information and Communications Technology (OICT) initially acknowledged their report. But, without realizing the vulnerability concerned, UNEP responded that the reported vulnerability does not pertain to the United Nations Secretariat, and is for ILO (International Labour Organization).
Saiful Ridwan, Chief of Enterprise Solutions at UNEP thanked the researchers for their vulnerability report and stated that their DevOps team had taken immediate steps to patch the vulnerability and that an impact assessment of this vulnerability was in progress.
However, United Nations was quick to patch this security issue within under a week.
It is however not confirmed whether the attackers have already obtained the data. The UNEP should analyze the trajectory of the exposed PII to determine how many threat actors, if any, have the data.