Post Now

The U.N. Accidentally Released Sensitive Information and Passwords Online

Image

Introduction:

THE UNITED NATIONSaccidentally released passwords, internal documents, and technical details about websites when it failed to secure and misconfigured popular project management service Trello, issue tracking app Jira, and office suite Google Docs.

News In Detail:

The U.N accidentally released passwords, internal documents and other sensitive details to the entire internet world where the user just needs to search via Google search.This misconfiguration has made important sensitive data available online to anyone with the proper link. According to The Intercept  affected data included:
  • credentials for a U.N. file server,
  • the video conferencing system at the U.N.’s language school,
  • and a web development environment for the U.N.’s Office for the Coordination of Humanitarian Affairs.
Security researcher Kushagra Pathak first discovered the accidental leak back in August after he conducted a few Google searches and he immediately notified the U.N. about the matter. As of today, much of the material appears to have been taken down. The U.N. replied after about two weeks that they will review the matter soon. A few days later, U.N. stated a mail claiming that they were unable to reproduce the vulnerability.Throughout this time, he continued to send them his findings on the publicly available information.
“In all, he reported 60 Trello boards, several Google Drive and Google Docs links that contained sensitive information, and sensitive information from a public U.N. account on Jira,” The Intercept reports.
Mr. Pathak said to The Intercept in an online chat that he found the sensitive information by running searches on Google. The searches, in turn, produced public Trello pages, some of which contained links to the public Google Docs and Jira pages.Trello projects are organized into “boards” that contain lists of tasks called “cards.” Boards can be public or private. After finding one public Trello board run by the U.N., Pathak found additional public U.N. boards by using “tricks like by checking if the users of one Trello board are also active on some other boards and so on.” One U.N. Trello board contained links to an issue tracker hosted on Jira, which itself contained even more sensitive information. Pathak also discovered links to documents hosted on Google Docs and Google Drive that were configured to be accessible to anyone who knew their web addresses. Some of these documents contained passwords.Pathak had shown his talents in finding private information on public Trello boards earlier too being a specialist in this field. In early 2018, Mr. Pathak discovered a range of private data, including passwords and security plans, belonging to the governments of the U.K. and Canada on 50 unprotected boards. Before that, he uncovered a large swath of sensitive data on Trello belonging to dozens of other organizations, including a “well-known ride-sharing company.” Some of the companies used publicly visible Trello boards as a way to internally share passwords for logging into their websites and contact databases, as well as accounts for email, social media, and credit card processing.According to The Intercept,Here is just some of the sensitive information that the U.N. accidentally made accessible to anyone who Googled for it:
  • A social media team promoting the U.N.’s “peace and security” efforts published credentials to access a U.N. remote file access, or FTP, server in a Trello card coordinating promotion of the International Day of United Nations Peacekeepers. It is not clear what information was on the server; Pathak said he did not connect to it.
  • The U.N.’s Language and Communication Programme, which offers language courses at U.N. Headquarters in New York City, published credentials for a Google account and a Vimeo account. The program also exposed, on a publicly visible Trello board, credentials for a test environment for a human resources web app. It also made public a Google Docs spreadsheet, linked from a public Trello board, that included a detailed meeting schedule for 2018, along with passwords to remotely access the program’s video conference system to join these meetings.
  • One public Trello board used by the developers of Humanitarian Response and ReliefWeb, both websites run by the U.N.’s Office for the Coordination of Humanitarian Affairs, included sensitive information like internal task lists and meeting notes. One public card from the board had a PDF, marked “for internal use only,” that contained a map of all U.N. buildings in New York City. Another card had an attached PDF that included a phone tree with names and phones numbers of people working for a division of U.N.’s human resources department. Some cards contained links to internal documents hosted on Google Docs that, in turn, contained sensitive information about web development projects, including a web address and password to access a staging environment to test early features of the website.
  • The U.N. website developers also used a public Jira bug tracker that contained detailed technical information about how the sites were developed and what issues they were having.
On September 13, The U.N. began taking down the exposed information after The Intercept contacted the organization for comment. U.N. spokesperson Florencia Soto Nino-Martinez said in an email: “Trello is one of various tools that U.N. staff use to share materials both internally and externally with partners,” “Some of the boards listed have communications materials which are not sensitive, while some have outdated information. However, we are reviewing all boards on the list to ensure that no passwords or credentials are shared through this medium.”“We take security very seriously and have reached out to all staff reminding them of the risks of using a third-party platform to share content and to take the necessary precautions to ensure no sensitive content is public,” she added in the mail.
Pathak says he believes that people often make their organizations’ sensitive data public simply because it’s more convenient. This way they can “share the details present on the board with their team members just by sharing the URL of the board with them without adding them to the board,” Pathak said to The Intercept
“Adding people to the board seems to be a huge task for these people, but in fact, it is really easy,” he added.
Read more on: Shein Data Breach Exposes Personal Data and Email Address of 6.42 Million Customers
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.