Ethical hacking and security research group Sakura Samurai researchers disclosed a security vulnerability that would allow access to over 100,000 private employee records of the United Nations Environmental Programme (UNEP).
The vulnerability originates from exposed Git directories and credentials, allowing researchers to clone Git repositories and collect personally identifiable information (PII) associated with Unep employees, according to BleepingComputer.
The data obtained by Sakura Samurai exposed travel history of UN staff, including: Employee ID, Names, Employee Groups, Travel Justification, Start and End Dates, Approval Status, Destination, and the Length of Stay.
Other data also revealed HR demographic data, such as nationality, gender, pay grade of thousands of employees, project funding source records, generalized employee records, and employment evaluation reports.
According to BleepingComputer, the research group reported the vulnerability to the UN on January 4th, 2021. The UN Office of Information and Communications Technology (OICT) said: "The reported vulnerability does not pertain to the United Nations Secretariat, and is for ILO (International Labour Organization)."
Saiful Ridwan, Chief of Enterprise Solutions at UNEP, however, later noted the DevOps team had taken appropriate steps to patch the vulnerability. BleepingComputer also notes UNEP is working on a data breach disclosure notice.
Joao Gomes, Application Security Researcher, Checkmarx, says, "The vulnerability found within the UNEP system is yet another unfortunate example of the commonality of unsecure DevOps practices. In this case, it appears to be a simple issue of incorrectly providing access control and uploading and storing sensitive data to a public location."
Gomes adds, "While it can be easy to overlook these types of misconfigurations – UNEP certainly isn’t the first or last to do so – setting and enforcing internal best practices for infrastructure management and software deployment is a key preventative measure. As part of this, security testing tools that cover emerging technologies, such as infrastructure-as-code, and perform incremental scans throughout software development cycles will catch these issues automatically and provide developers with real-time remediation guidance.