Over 100,000 UN Employee Records Accessed by Researchers
Over 100,000 United Nations employee records and credentials were able to be accessed by security researchers in only hours. Sakura Samurai created a team to look for bugs to report to the UN under its vulnq disclosure program. Using the git-dumper tool, an exposed subdomain for UN program the International Labour Organization gave the researchers to exfiltrate Git credentials. The ILO leak did not contain much information of importance, however the United Nations Environment Programme also contained an exposed subdomain.
With the exposed domains, the researchers were able to download password protected projects and many database and application credentials for the UNEP. Seven additional credential pairs could have allowed unauthorized access to more databases. The UN quickly patched the vulnerabilities after over 100,000 employee records including names, ID numbers, evaluation reports and funding source records, among other details, were accessed. The UN has been at risk for nation state attackers in the past.