While the UN laughed at Trump, hackers chortled at the UN's lousy web application security

Jobseekers' files follow internal records leaking online

United Nations building photo Arnaldo Jr via Shutterstock

The United Nations has been hit with two damning data leak allegations in as many days.

The global organization has seen researchers uncover a pair of flaws that had left a number of its records, and those of its employees, accessible to hackers online.

Word of the first issue came out yesterday when security researcher Kushagra Pathak found that the UN had left an unsecured set of Trello, Jira and Google Docs projects exposed to the internet.

Pathak, who has specialized in uncovering vulnerable Trello boards and web apps, said the exposed information included account credentials and internal communications and documents used by UN staff to plan projects.

After stumbling onto the vulnerable Trello board, he was able to then get access to the Jira and Google Docs deployments where he harvested other sensitive data. Pathak privately reported the issue to UN, who has since locked down the vulnerable web app instances.

The second exposure was uncovered by researcher Mohamed Baset of Seekurity and resulted in the exposure of "thousands" of résumés submitted by job applicants.

Baset reports that the UN misconfigured the Apache web server for one of its WordPress-powered websites, specifically the site it runs to handle job applications. This misconfiguration permits the listing of directory contents, allowing miscreants to peek into a folder of uploaded CVs and application letters, and thus view thousands of documents submitted by people applying for a job with a UN agency.

The configuration blunder was reported to the UN in August, but after getting the full bureaucratic runaround, Baset decided to go public with the flaw this week, and share a proof of concept video:

Youtube Video

It wasn't all long faces at the UN this week, however.

Members of the org had a moment of levity this morning when US President Donald Trump addressed the General Assembly. The Commander-in-Chief's boasts of historic accomplishments at the helm of America sparked chuckling and guffawing by foreign diplomats witnessing his speech...

A nice chuckle was had by most. Meanwhile, at last estimate, Trump was custodian to some 4,000 nuclear warheads. ®

Editor's note: This article was revised after publication to clarify that the CV disclosure bug was an Apache web server misconfiguration.

Sponsored: Webcast: Build the next generation of your business in the public cloud


Keep Reading

Google logo

Huawei claims its Google Play replacement is in 'top 3' app stores after Trump turns off tap to the Chocolate Factory

The re-badged progressive web apps should help fill it out a bit
A five dollar note with a mask over Lincoln's face

Coronavirus pandemic latest: Trump declares 'two very big words' – national emergency – and unexpectedly ropes in Google to help in some form

There'll be a website, at some point, that will work in some way, maybe
Coronavirus in San Francisco

After a weekend of WTF-ing at Trump's COVID-19 testing website vow, Google-Verily's site finally comes to life... And it's not what was promised

Just the San Francisco Bay Area goes to 3-week near-lockdown
Phones showing US flag and Huawei logo

One man is standing up to Donald Trump's ban on US chip tech going to Huawei. That man... is Donald Trump

President slams his own administration's 'ridiculous' China crackdown
A model of Donald Trump carrying Amazon boxes

Jeff Bezos: I will depose King Trump

In today's episode of Absolutely Never Happening, Amazon wants the President to testify whether or not he personally ordered AWS JEDI snub
Mind the gap

Mind the gap: Google patches holes in Chrome – exploit already out there for one of them after duo spot code fix

Pair engineer malicious code from public source tweak before official binary releases
WTF road sign

After blowing $100m to snoop on Americans' phone call logs for four years, what did the NSA get? Just one lead

Section 215 more useless than we suspected yet they still want to keep it

Assange lawyer: Trump offered WikiLeaker a pardon in exchange for denying Russia hacked Democrats' email

America wanted a cover-up of Kremlin ties to DNC intrusion, court told

Biting the hand that feeds IT © 1998–2020