United Nations’ Vulnerability Disclosure Program Leads to Startling Discovery as Researchers Accessed Private Data of 100,000 UNEP Employees.
Sakura Samurai’s ethical hacking and cybersecurity researchers have disclosed startling new findings of a vulnerability that allowed them to access the private data of over 100,000 United Nations Environment Program (UNEP) employees.
The research team included including Jackson Henry, Nick Sahler, John Jackson, Sakura Samurai’s founder, and Aubrey Cottle, and the discovery was part of the UN’s Vulnerability Disclosure Program with HackerOne.
Sakura Samurai researchers were trying to discover security flaws impacting UN systems. Initially, they couldn’t find anything interesting. They probed multiple endpoints that fell within their scope of research.
See: UN hacked, becomes target of massive state-sponsored spying op
Finally, the researchers were able to find an exposed subdomain of the International Labour Organization (ILO). This allowed them to access Git credentials.
Using these credentials, researchers were able to take over a legacy MYSQL database as well as a survey management platform. They used a git-dumper tool to exfiltrate the credentials.
Git Directory Responsible for the Breach
According to Sakura Samurai, exposed Git credentials and directories allowed them to clone Git repositories and collect a large amount of personally identifiable information of more than 100,000 employees. The exposed subdomain posed a greater privacy risk because it was leaking Git credentials.
Researchers dumped the Git files contents and cloned entire rep ..
Support the originator by clicking the read the rest link below.
