While The UN Laughed At Trump, Hackers Chortled At The UN’s Lousy Web Application Security

While The UN Laughed At Trump, Hackers Chortled At The UN’s Lousy Web Application Security

Jobseekers' files follow internal records leaking online The United Nations has been hit with two damning data leak a

US Setting Up Facial Recognition At Major Airports Without Proper Vetting
WiTopia personalVPN review: It's all about choices
Throwback Thursday: Whose idea was this, anyway?

Jobseekers’ files follow internal records leaking online

The United Nations has been hit with two damning data leak allegations in as many days.

The global organization has seen researchers uncover a pair of flaws that had left a number of its records, and those of its employees, accessible to hackers online.

Word of the first issue came out yesterday when security researcher Kushagra Pathak found that the UN had left an unsecured set of Trello, Jira and Google Docs projects exposed to the internet.

Pathak, who has specialized in uncovering vulnerable Trello boards and web apps, said the exposed information included account credentials and internal communications and documents used by UN staff to plan projects.

After stumbling onto the vulnerable Trello board, he was able to then get access to the Jira and Google Docs deployments where he harvested other sensitive data. Pathak privately reported the issue to UN, who has since locked down the vulnerable web app instances.

The second exposure was uncovered by researcher Mohamed Baset of Seekurity and resulted in the exposure of “thousands” of résumés submitted by job applicants.

Baset reports that the UN failed to patch vulnerabilities in one of the WordPress CMS systems it uses to handle job applications. This would potentially allow anyone who chose to exploit the local path disclosure the ability to access the thousands of CVs people had submitted when they applied for a job with a UN agency.

The vulnerability was reported to the UN in August, but after getting the full bureaucratic runaround, Baset decided to go public with the flaw this week, and share a proof of concept video:

Youtube Video

It wasn’t all long faces at the UN this week, however.

Members of the org had a moment of levity this morning when US President Donald Trump addressed the General Assembly. The Commander-in-Chief’s boasts of historic accomplishments at the helm of America sparked chuckling and guffawing by foreign diplomats witnessing his speech…

A nice chuckle was had by most. Meanwhile, at last estimate, Trump was custodian to some 4,000 nuclear warheads. ®

Sponsored:
The Six Essential Capabilities of an Analytics Driven SIEM

Go to Source

COMMENTS