Environment Initiative of the United Nations Revealed 100,000 Employee Documents


Security researchers found exposed GitHub passwords on a subdomain of the United Nations Environment Program (UNEP) with Sakura Samurai, which enabled them to access a data trove, including more than 100,000 records of employees.

The Sakura Samurai researchers found an ilo.org subdomain that revealed .git content when investigating security vulnerabilities in properties beyond the framework of the vulnerability disclosure programme of the United Nations.

This allowed them to take over a SQL database and to take over the account of the International Labour Organization’s Survey Management Platform. However, while these are important flaws, it was found that both services were discarded, thereby containing no user data.

Further fuzzing, however, led the researchers to a subdomain of UNEP that leaked GitHub credentials, allowing them to view and download “many GitHub projects protected by private passwords.”

According to Sakura Samurai, certain projects included many databases, as well as programme credentials for the development framework of the UNEP. A total of 7 credential pairs were found, supplying more databases with unauthorised access.

In one of these, two documents were found that included over 102,000 employee travel records. Names, employee ID numbers, employee classes, travel justification, travel start and end dates, acceptance status, duration of stay, and destination were included in these documents.

The researchers have discovered two databases containing more than 7,000 numerical details of HR nationality: names and classes of workers, ID numbers, employee nationality and ethnicity, employee pay grade, and id number of the company work unit and text tags of the unit.

In another paper, over 1,000 generalised employee documents were found: index numbers, employee names and addresses, and sub-areas of employee employment.

Another paper disclosed over 4,000 documents of projects and sources of funding, including impacted regions, grant and co-financing rates, sources of funding, project identification numbers, implementing organisations, nations, project duration, and status of approval.

The assessment reporting paper included information on 283 initiatives, providing an overall overview of the evaluation and reporting, the dates during which the evaluation was carried out, and links to the study.

Melina Richardson
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards. Previously, he worked as a security news reporter.