Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/12/2021
04:55 PM
50%
50%

United Nations Security Flaw Exposed 100K Staff Records

Security researchers have disclosed a vulnerability they exploited to access more than 100,000 private employee records.

Security researchers have disclosed a vulnerability they exploited to access at least 100,000 private records belonging to employees of the United Nations' Environmental Programme (UNEP).

Related Content:

Microsoft Defender Zero-Day Fixed in First Patch Tuesday of 2021

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

Jackson Henry, John Jackson, Nick Sahler, and Aubrey Cottle, a team with security research group Sakura Samurai, discovered the flaw while looking for bugs affecting UN systems, Bleeping Computer reports. They found exposed Git directories and Git credential files on domains connected to both the UNEP and the UN International Labour Organization (ILO); they were able to dump the contents of these files and clone repositories.

The Git directory held sensitive files, including WordPress configuration files containing admin database credentials. These credentials gave the team access to at least 100,000 UN employee records from multiple systems. Exfiltrated data included employee ID, name, employee group, travel justification, start and end dates, approval status, destination, and the length of stay.

Researchers were also able to access more UN databases containing generalized employee records, employee evaluation reports, project funding source records, and human resources' demographic data, including nationality, gender, and pay grade, for thousands of UN workers. 

The researchers say the issue has now been addressed. Read the full findings here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.