The United Nations was attacked, with details of more than 100,000 U.N. Environmental Program employees compromised. But there’s a twist; the breach was uncovered by White Hat hackers.
The ethical hacking and security research group Sakura Samurai, probed several U.N. databases after finding out that the organization had a vulnerability disclosure program.
The data breach uncovered exposed Git directories and Git credential files on domains used by the UNEP and the UN’s International Labor Organization. Employing these details, the ethical hackers dumped the contents of the Git files and made repository copies using git-dumper, a tool used in dumping a git repository from a website.
The dumped files had details on the U.N staff travels, with employee ID, travel justification, approval status, names, start and end dates, employee groups, length of stay, and destination, all visible.
Sakura Samurai were also able to get human resources data, containing personally identifiable information, project funding records, employee evaluations, and general employee records.
The whole reason for having a vulnerability disclosure program is to find vulnerabilities and deal with them before they bring problems. However, the U.N managed to fail in doing even this. On January 4, Sakura Samurai reported the vulnerability to the U.N and was told the issue did not have anything to do with the U.N secretariat or the U.N ILO.
The failings of the U.N
Eventually, the U.N realized they were leaking data, and out came Saiful Ridwan, the chief of enterprise solutions at UNEP. In a show of clownish proportions, he thanked the ethical hackers for letting the organization know about the vulnerability.
He added that dealing with the problem was tricky because they have never had to do something like it before.
It is not likely that bad actors exploited the vulnerability before it was found.