United Nations WordPress Site Exposes Thousands Of Resumes
(Sep 25, 2018)
One of the United Nations’ (UN) WordPress websites was discovered to be misconfigured in a way that allowed for public access to job applications uploaded to the site since 2016. The misconfiguration left access to a directory index of applications containing CVs that reportedly contain thousands of documents according to researcher, Mohamed Baset, who discovered the leak. Baset reported the misconfiguration to someone at UN security, who stated that the issue pertained to the UN Development Programme (UNDP) and not the UN Secretariat. Following 48 days after reporting the incident to the UN, they had yet to fix the misconfiguration or even respond to the notice.
Recommendation: Baset recommends that WordPress website owners keep their installations up-to-date, along with any additional plug-ins. Ensure any private documents containing Personally Identifiable Information (PII) is properly secured with restricted access, and is away from public view. The leak of PII allows for those people to be susceptible to phishing and data/credit theft. Organisations like the UN should have adequate security in place to protect applicants, employees, and others’ information, and respond immediately to reports of breaches such as this one. It is crucial to have policies in place that address issues such as the one in this story, as well as have cyber security personnel in every department to report these issues to instead of pushing the problem around to others with no fixes.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.