United Nations’ Vulnerability Disclosure Program Leads to Startling Discovery as Researchers Accessed Private Data of 100,000 UNEP Employees.
Sakura Samurai’s ethical hacking and cybersecurity researchers have disclosed startling new findings of a vulnerability that allowed them to access the private data of over 100,000 United Nations Environment Program (UNEP) employees.
The research team included including Jackson Henry, Nick Sahler, John Jackson, Sakura Samurai’s founder, and Aubrey Cottle, and the discovery was part of the UN’s Vulnerability Disclosure Program with HackerOne.
Sakura Samurai researchers were trying to discover security flaws impacting UN systems. Initially, they couldn’t find anything interesting. They probed multiple endpoints that fell within their scope of research.
Finally, the researchers were able to find an exposed subdomain of the International Labour Organization (ILO). This allowed them to access Git credentials.
Using these credentials, researchers were able to take over a legacy MYSQL database as well as a survey management platform. They used a git-dumper tool to exfiltrate the credentials.
Git Directory Responsible for the Breach
According to Sakura Samurai, exposed Git credentials and directories allowed them to clone Git repositories and collect a large amount of personally identifiable information of more than 100,000 employees. The exposed subdomain posed a greater privacy risk because it was leaking Git credentials.
Researchers dumped the Git files contents and cloned entire repositories from *.unep.org and *.ilo.org domains using git-dumper. The contents of .git directory included sensitive files, for instance, WordPress configuration files, which exposed the administrator’s database credentials.
“Ultimately, once we discovered the GitHub credentials, we were able to download a lot of private password-protected GitHub projects and within the projects, we found multiple sets of database and application credentials for the UNEP production environment,” Jackson stated in a blog post.
Researchers found seven additional credential pairs that could have allowed threat actors to access multiple databases. Hence, the team decided to report the vulnerability after accessing the PII “exposed via database backups that were in the private projects.”
They identified various PHP files exposed as well, which contained plaintext database credentials linked with other online systems of UN ILO and UNEP. Additionally, using the publicly accessible Git credentials, researchers could access UNEP’s source code base too.
Private Data of 100k+ Employees Exfiltrated
Researchers exfiltrated private data of more than 100,000 UN employees from multiple UN systems. The data set contained the travel history of UN staff. Each of the rows contained sensitive information such as employee ID, email addresses, employee groups, names, travel justifications, approval status, start/end dates, destination, and stay duration.
Other UN databases they accessed contained HR demographic data, which included nationality, gender, grade, and pay-related information of thousands of employees along with project funding source codes, employee evaluation reports, and generalized employee records.
“When we started researching the UN, we didn’t think it would escalate so quickly. Within hours, we already had sensitive data and had identified vulnerabilities. Overall, in less than 24 full hours we obtained all of this data,” researchers noted.
Dotan Nahum CEO and Founder of Spectral commented on the issue and told Hackread.com that,
“There are a few developer best practices that may have been missing at various stages of the SDLC (Software Development Life-Cycle). Two of those are – storing sensitive information and credentials in their codebase which is not advised, and the second is making sure sensitive code infrastructure data, such as the Git metadata (raw storage of the original codebase) is not exposed publicly.”
“It is easy to see how such a thing slipped through the cracks when an organization relies on a human sign off: credentials in code can be hard to trace in large codebases, and the Git metadata objects are usually hidden from most regular users,” Dotan added.
“To avoid these types of mistakes, there needs to be tooling and automation that can keep up with the pace of development and with the hidden – mistake-prone – cybersecurity issues that will surely surface with time as codebases and teams grow,” Dotan advised.
UN Saves the Day
The vulnerability was reported to the UN on January 4th, 2021. The UN Office of Information and Communications Technology acknowledged the findings. Initially, they believed the information was associated with ILO only.
However, later they realized that UNEP data was also exposed. UNEP’s Chief of Enterprise Solutions, Saiful Ridwan, thanked the researchers and noted that their DevOps team had patched it, and an impact assessment report was in progress.