The United Nations WordPress website publicly exposed thousands of resumes of hopeful job seekers to the public. The breach was caused by two vulnerabilities that were discovered in one of the UN’s WordPress websites.
The breach was discovered by security researcher Mohamed Baset, from the penetration testing firm Seekurity. The researcher found a path disclosure vulnerability and an information disclosure vulnerability on the UN website that contained resumes of job applicants since 2016.
Baset found that that applicants seeking a job at the UN had uploaded their resumes through an improperly configured web application. If exploited, the bugs could have allowed attackers to gain access to the directory index that documented the job applications by conducting Man-in-the-Middle (MiTM) attacks.
“Regardless that the application is not enforcing HSTS which means the application is supporting both HTTP and HTTPS versions, a MITM attacker would get your CV file while uploading it – the application is vulnerable to local path disclosure,” said Baset in a blog post.
Baset said that he sent a report about the vulnerabilities to the UN on August 6. However, the organization failed to plug the leak. Instead, it stated that the vulnerabilities did not "pertain to the United Nations Secretariat, and is for UNDP [United Nations Development Programme]”, BleepingComputer reported.
According to Baset,the UN was irresponsible in how it addressed the issue, following which he reported the bugs to firstname.lastname@example.org.
"The discovered vulnerabilities have been responsibly reported to the United Nations along with other discovered issues (not mentioned here) including the technical details on how to reproduce the issues," Baset said.
Baset also recommended that WordPress website owners implement a few security tips in order to address the issues. Users are also recommended to update WordPress installation periodically. Users should also restrict access to sensitive files and simultaneously check for all the installed themes and plugins.