Friday, January 15, 15:08
Home security Researchers have gained access to 100.000 UN staff files!

Researchers have gained access to 100.000 UN staff files!

Researchers from the Sakura Samurai team revealed on January 11 a vulnerability which allowed them to access more than 24 United Nations Environment Program staff files in less than 100.000 hours (UNEP). The data breach came from exposed Git directories and credentials, which allowed researchers to "clone" Git repositories and collect large amounts of personal information (PII) related to UN officials.

After meeting with the United Nations Vulnerability Disclosure Program and InfoSec Hall of Fame, researchers Jackson Henry, Nick Sahler, John Jackson and Aubrey Cottle of Sakura Samurai began looking for any security bugs that affect systems of the UN. They then located exposed Git (.git) and credentials Git files (.git-credentials) in domains related to UNEP and the International Labor Organization (ILO). Researchers have been able to "steal" the contents of these Git files and clone entire repositories from domains * and * using it git-dumper.

Researchers have gained access to 100.000 UN staff files!

The .git directory contains "sensitive" files, such as configuration files WordPress (wp-config.php) which display the administrator database credentials. Similarly, different PHP files that were exposed as part of this data breach contained plain text database credentials associated with other UNEP and ILO web systems. In addition, publicly accessible .git-credentials files allowed researchers to access the source database code of UNEP.

Researchers have gained access to 100.000 UN staff files!

Oh, yeah data which the researchers were able to access contain more than 100.000 files of UN staff. Using these credentials, researchers were able to retrieve more than 100.000 UN staff files from multiple systems.
The data set obtained by the group set out the UN staff travel history, in each row containing: employee ID, names, staff groups, trip justification, start and end dates, approval status, destination and length of stay. Similarly, other UN databases accessed by the researchers exposed human resources (nationality, gender, salary) of thousands of employees, archives of project funding sources, general employee records, and job evaluation reports.

Researchers have gained access to 100.000 UN staff files!

Researchers at Sakura Samurai told BleepingComputer about the project: "When we started researching the UN, we did not think it would develop so quickly. Within a few hours, we had already acquired sensitive data and identified vulnerabilities. In total, in less than 24 full hours we received all this data. In total, we found 7 additional pairs of credentials that could have led to unauthorized access to multiple databases. "We decided to stop and report this vulnerability as soon as we could access PIIs that were exposed through backups of databases in private projects."

It is noteworthy that hackers they may also have managed to obtain access in this data.

Saiful Ridwan, head of corporate solutions at UNEP, thanked the researchers for reporting the vulnerability, saying the DevOps team had taken immediate steps to correct the vulnerability and that an assessment of the impact of the vulnerability was under way. The researchers told BleepingComputer that the United Nations had taken immediate action to alleviate the vulnerability, noting that the only thing they were currently concerned about was informing those affected. In particular, Aubrey Cottle AKA Kirtaner noted that if the data was so easy to obtain, cybercriminals probably already managed to obtain it.

United Nations

This is not the first time UN systems have been compromised. The organization is a frequent target of cybercriminals. Hundreds of gigabytes of internal data were stolen in 2019, possibly containing highly sensitive information about human rights activists - a fact that became known in 2020. The organization appeared to be using its diplomatic immunity to keep the incident a secret.

This time, however, the UN is believed to have quickly fixed these vulnerabilities and secured the exposed data.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


Astronomers have just found the oldest oversized black hole

A quasar was discovered in a dark corner of space - over 13,03 billion light-years away - and contains a ...

What are the best and most affordable 5G phones for 2021

The market will soon be flooded with mid-range 5G devices. Everything that happens will be really exciting: you will be able to ...

Verified Twitter accounts in a cryptocurrency scam with the name of Elon Musk violated!

Lately, hackers have been violating verified Twitter accounts in a cryptocurrency giveaway scam, in which the name of the CEO is used ...

Classiscam: Fraudsters "fake" brands and deceive users of European markets!

Dozens of criminal gangs publish fake ads in popular online markets, to attract unsuspecting users to "fraudulent" commercial sites or phishing ...

iOS 14.4: Displays a notification for repairs with non-genuine cameras

Starting with the iPhone 11, Apple has added a notification to iOS that tells the user when the device has a ...

Facebook: Sues Chrome extensions developers for data theft

Facebook has filed a lawsuit against two Portuguese nationals for developing Chrome extensions that collected data from Facebook users.

Cisco does not fix 74 bugs in RV routers that have reached their EOL

Cisco said yesterday that it will not release firmware updates to fix 74 vulnerabilities that have been reported in ...

Hacker commits new crimes while waiting for his release!

A Kosovo hacker was pardoned after his conviction. The hacker provided personally identifiable information over 1.000 ...

Nintendo rules out Game & Watch video hacking

Two copyright claims against a YouTuber have been filed by Nintendo, for a video showing hacking of Super Mario ...

The number of reported CVEs increased by 6%!

According to a new analysis released on the level and volume of vulnerabilities in 2020, the total number of CVEs ...