Security researchers with Sakura Samurai identified exposed GitHub credentials on a United Nations Environment Programme (UNEP) subdomain, which allowed them to access a trove of data, including more than 100,000 employee records.
While researching security flaws in assets within the scope of The United Nations’ vulnerability disclosure program, the Sakura Samurai researchers discovered an ilo.org subdomain that exposed .git contents.
This allowed them to take over an SQL database, as well as perform account takeover on a Survey Management Platform belonging to the International Labour Organization. However, although these are critical vulnerabilities, both resources were found to be abandoned, thus containing little data of use.
Further fuzzing, however, led the researchers to a UNEP subdomain that leaked GitHub credentials, thus enabling them to access and download “a lot of private password-protected GitHub projects.”
These projects, Sakura Samurai says, contained multiple databases, as well as application credentials for the ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE