Security News > 2021 > January > Ethical Hackers Breach U.N., Access 100,000 Private Records

Ethical Hackers Breach U.N., Access 100,000 Private Records
2021-01-12 15:00

Security researchers successfully hacked the United Nations, accessing user credentials and personally identifiable information-including more than 100,000 private employee and project records-before informing the U.N. about the problem through the organization's vulnerability disclosure program.

Ethical hackers from the research group Sakura Samurai used a vulnerability in a GitHub directory that exposed WordPress DB and GitHub credentials, allowing access to numerous private records from the U.N.'s Environment Program.

Researchers were able to access a significant amount of sensitive U.N. information in their breach, including 102,000 travel records; more than 7,000 records of human resources nationality demographics; more than 1,000 generalized employee records; more than 4,000 project and funding-source records; and evaluation reports of 283 projects.

In addition to accessing records through the Git-related flaw, researchers "On the lesser side of severity" took over an SQL Database and a Survey Management program belonging to the International Labor Organization.

"In total, we found seven additional credential-pairs which could have resulted in unauthorized access of multiple databases," researchers wrote.

Last July, hackers breached the U.N. by exploiting a Microsoft SharePoint vulnerability in an apparent espionage operation, reportedly giving the attackers access to an estimated 400 GB of sensitive data.


News URL

https://threatpost.com/hackers-breach-un-access-records/162944/