UN Sensitive Information Exposed Publicly Due to Neglected Security Settings
Of all the many troublesome episodes on the Internet, it usually boils down to one common weakness, human error. Even the United Nations is not spared when it comes to such possibility, which happened recently at the backdrop of the scheduled UN General Assembly meeting for 2018. The cause “misconfiguration” of settings in Trello, Jira and Google Docs that keep data from being viewed publicly. “In August, I found 60 Trello boards, a public Jira and bunch of Google Docs of UN which were containing credentials to multiple FTP servers, social media & email account, lots of internal comm. and documents. @micahflee wrote an excellent article about it https://t.co/5nHWitM2lw,” said Kushagra Pathak, a security researcher.
Sensitive documents were made available online if they have the URL of it, this is similar to the way Youtube videos are uploaded as “unlisted.” This means there is no security arrangement at all to restrict data access of anonymous visitors.“The mistakes made sensitive material available online to anyone with the proper link, rather than only to specific users who should have access. Affected data included credentials for a U.N. file server, the video conferencing system at the U.N.’s language school, and a web development environment for the U.N.’s Office for the Coordination of Humanitarian Affairs,” added Pathak.
Kushagra Pathak made a responsible disclosure of the problem with the U.N. himself in August 2018. He gave the organization time to fix the issue, which the UN only started to implement on September 13, 2018. “This way they can share the details present on the board with their team members just by sharing the URL of the board with them without adding them to the board. Adding people to the board seems to be huge task for these people, but in fact, it is really easy,” concluded Pathak.
UN uses a WordPress as the Content Management System for their website, that alone exposes a lot of information that is supposed to be top secret to the public. “Regardless that the application is not enforcing HSTS [HTTP Strict Transport Security], which means the application is supporting both HTTP and HTTPS versions, an MITM attacker would get your CV file while uploading it — the application is vulnerable to local path disclosure,” said Mohamed Baset, a security researcher for Seekurity.
The following are some excerpts of the UN information leak that went public for quite a while:
- Detailed information about website development of the UN website itself and the currently known issues with it.
- Exposed sensitive information such as meeting notes connected with Humanitarian Response and ReliefWeb.
- A PDF map of the UN buildings in New York City, the document itself is categorized as “for internal use only.”
- A Trello card containing a pdf copy of a phonebook containing contact information of people working with UN’s HR Department.
- Open Google Documents containing URLs and passwords of pre-released website contents.
- A Google Docs spreadsheet containing information on UN meetings along with its corresponding passwords for the remote video conferencing sessions.
- User logins for a UN FTP server.