A researcher found a lot of information about the international organization
Many of the national leaders meeting this week in New York for the United Nations General Assembly should be thankful to UN officials who are dealing with a recent data breach. The expert in ethical hacking Kushagra Pathak recently published via his Twitter account that last August he discovered a lot of information that should have been blocked, however, he was able to access it online, adding that even after notifying the UN of his finding, the organization took about two weeks to answer.
“In August this year, I found 60 Trello boards (a project management software), a public Jira profile, and many United Nations Google Docs files that contained credentials for multiple FTP servers, social networks, and email accounts, as well as internal communication files and other documents”, the expert posted on his Twitter account.
Pathak said he had informed the UN immediately after his discovery on August 20, but two weeks went by without an answer, until the international organization responded that they would review the exposed data. Then, on September 12, the UN said it could not replicate the problems and asked Pathak for more information. Subsequently, the UN began to secure or, in several cases, eliminate the exposed information.
The Trello platform is used for the internal and external communications of the UN, mentioned an organization spokesman for different media, just as it is used by many organizations to manage and plan projects. Pathak said that many of Tello’s boards he found are used to host information that should be classified as confidential.
“Information about unfixed bugs and security vulnerabilities, access credentials for UN’s social network accounts, email accounts, servers, and management boards are available on the public Trello boards, and they’re being indexed by all search engines and anyone sufficiently dedicated can easily find them”, said the expert in ethical hacking.
Most of the exposed Trello boards were found by Google dorking, a hacking technique that uses the Google search engine as well as other company applications to find security bugs in the code that websites use.
Specialists in ethical hacking from the International Institute of Cyber Security consider that, like many international organizations, the UN has some budgetary problems that have prevented it from dedicating sufficient resources to the online information protection, although this is no excuse for the signs of negligence that this event has shown.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.