Security researchers at Sakura Samurai have discovered a vulnerability related to the United Nations databases, which allowed them to access over 100,000 personal records and credentials belonging to U.N. employees.
The research team has discovered the breach while looking for security issues to report to the UN under its vulnerability disclosure program. During their analysis the researchers found an exposed subdomain for UN body the International Labour Organization (ILO) that was leaking .git contents, including Git credentials. Using these credentials the team was able to takeover a legacy MySQL database and a survey management platform belonging to the International Labour Organization. Exfiltration of these credentials was done with the help of the git-dumper tool.
While the MySQL database and the survey management platform were fairly abandoned in nature and contained hardly anything of use, researchers found a subdomain on the United Nations Environment Programme (UNEP) that was also leaking GitHub credentials.
“Ultimately, once we discovered the GitHub credentials, we were able to download a lot of private password-protected GitHub projects and within the projects we found multiple sets of database and application credentials for the UNEP production environment. In total, we found 7 additional credential-pairs which could have resulted in unauthorized access of multiple databases,” the researchers said.
In total, the team found over 100,000 employee records including names, ID numbers, gender, pay grade, records of travel details, work sub-areas and departments, evaluation reports and funding source records.
The researchers told Bleeping Computer that they contacted U.N. over the issue on January 4, 2021, and the vulnerability was patched within a week.