While the UN laughed at Trump, hackers chortled at the UN's lousy web application security

Jobseekers' files follow internal records leaking online

United Nations building photo Arnaldo Jr via Shutterstock

The United Nations has been hit with two damning data leak allegations in as many days.

The global organization has seen researchers uncover a pair of flaws that had left a number of its records, and those of its employees, accessible to hackers online.

Word of the first issue came out yesterday when security researcher Kushagra Pathak found that the UN had left an unsecured set of Trello, Jira and Google Docs projects exposed to the internet.

Pathak, who has specialized in uncovering vulnerable Trello boards and web apps, said the exposed information included account credentials and internal communications and documents used by UN staff to plan projects.

After stumbling onto the vulnerable Trello board, he was able to then get access to the Jira and Google Docs deployments where he harvested other sensitive data. Pathak privately reported the issue to UN, who has since locked down the vulnerable web app instances.

The second exposure was uncovered by researcher Mohamed Baset of Seekurity and resulted in the exposure of "thousands" of résumés submitted by job applicants.

Baset reports that the UN misconfigured the Apache web server for one of its WordPress-powered websites, specifically the site it runs to handle job applications. This misconfiguration permits the listing of directory contents, allowing miscreants to peek into a folder of uploaded CVs and application letters, and thus view thousands of documents submitted by people applying for a job with a UN agency.

The configuration blunder was reported to the UN in August, but after getting the full bureaucratic runaround, Baset decided to go public with the flaw this week, and share a proof of concept video:

Youtube Video

It wasn't all long faces at the UN this week, however.

Members of the org had a moment of levity this morning when US President Donald Trump addressed the General Assembly. The Commander-in-Chief's boasts of historic accomplishments at the helm of America sparked chuckling and guffawing by foreign diplomats witnessing his speech...

A nice chuckle was had by most. Meanwhile, at last estimate, Trump was custodian to some 4,000 nuclear warheads. ®

Editor's note: This article was revised after publication to clarify that the CV disclosure bug was an Apache web server misconfiguration.




Biting the hand that feeds IT © 1998–2018