Cybersecurity researchers gain access to more than 100,000 records of UN employees

The United Nations vulnerability disclosure program has discovered that, in a matter of hours, it was possible to access the private data of more than 100,000 employees of the international organization. The person responsible for the discovery has been the ethical hacking and cybersecurity group Sakura samurai.

Jackson Henry, Nick Sahler, John Jackson and Aubrey Cottle, the members of this group, tried to look for vulnerabilities by exploring multiple endpoints until they found a vulnerable one. One that exposed Git credentials.

Looking for vulnerabilities to fix them

What they first found was an exposed subdomain of the International Labor Organization, the United Nations agency specializing in labor and industrial relations issues. From there, they were able to access the Git credentials that allowed them to obtain, via exfiltration using git-dumper, a MySQL database and a survey management platform.

Pulling the thread, and after verifying that the above contained practically nothing useful, they finally found a subdomain of the United Nations Environment Program.

After processing all the information, they identified more than 100,000 private records of employees

These researchers say they have found the best way to create strong passwords thanks to science

"Ultimately once we discovered the GitHub credentials we were able to download a bunch of password protected private GitHub projects and within the projects we found multiple sets of application and database credentials for the UNEP production environment" explains Jackson in a post on his website.

The credentials gave them the ability to download the Git repositories, "identifying a ton of user records and PII".

After processing all the information, they identified more than 100,000 private records of employees with information such as names, identification numbers, gender, or detailed travel records. They also saw that multiple databases could be accessed without authorization. At this point, they reported the vulnerability to the United Nations. According Hack News, has already been patched.