You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Breaches and Incidents
- United Nation WordPress site publicly exposes thousands of resumes

United Nation WordPress site publicly exposes thousands of resumes
United Nation WordPress site publicly exposes thousands of resumes- September 26, 2018
- |
- Breaches and Incidents
/https://cystory-images.s3.amazonaws.com/iStock_84453241_MEDIUM.jpg)
- A path disclosure vulnerability and an information disclosure vulnerability were found on the UN’s WordPress website.
- The website contained resumes of job applicants since 2016.
The United Nations WordPress website publicly exposed thousands of resumes of hopeful job seekers to the public. The breach was caused by two vulnerabilities that were discovered in one of the UN’s WordPress websites.
The breach was discovered by security researcher Mohamed Baset, from the penetration testing firm Seekurity. The researcher found a path disclosure vulnerability and an information disclosure vulnerability on the UN website that contained resumes of job applicants since 2016.
Baset found that that applicants seeking a job at the UN had uploaded their resumes through an improperly configured web application. If exploited, the bugs could have allowed attackers to gain access to the directory index that documented the job applications by conducting Man-in-the-Middle (MiTM) attacks.
“Regardless that the application is not enforcing HSTS which means the application is supporting both HTTP and HTTPS versions, a MITM attacker would get your CV file while uploading it – the application is vulnerable to local path disclosure,” said Baset in a blog post.
Baset said that he sent a report about the vulnerabilities to the UN on August 6. However, the organization failed to plug the leak. Instead, it stated that the vulnerabilities did not "pertain to the United Nations Secretariat, and is for UNDP [United Nations Development Programme]”, BleepingComputer reported.
According to Baset,the UN was irresponsible in how it addressed the issue, following which he reported the bugs to infosec@un.org.
"The discovered vulnerabilities have been responsibly reported to the United Nations along with other discovered issues (not mentioned here) including the technical details on how to reproduce the issues," Baset said.
Baset also recommended that WordPress website owners implement a few security tips in order to address the issues. Users are also recommended to update WordPress installation periodically. Users should also restrict access to sensitive files and simultaneously check for all the installed themes and plugins.
- + Aware
Get such articles in your inbox
News
-
Previous News New Android spyware can steal WhatsApp data, contacts, browser history, photos and more
- September 27, 2018
- |
- Malware and Vulnerabilities
-
Next News New FragmentSmack DoS vulnerability found in 88 Cisco products
- September 26, 2018
- |
- Malware and Vulnerabilities
Popular News
Related News
-
Hacker Linked with European Football Data Leaks Faces Over 100 Charges
- September 23, 2019
- |
- Threat Actors
-
Atlassian patches two critical security flaws
- September 23, 2019
- |
- Malware and Vulnerabilities
Categories
Get such articles in your inbox
News
-
Previous News New Android spyware can steal WhatsApp data, contacts, browser history, photos and more
- September 27, 2018
- |
- Malware and Vulnerabilities
-
Next News New FragmentSmack DoS vulnerability found in 88 Cisco products
- September 26, 2018
- |
- Malware and Vulnerabilities
Popular News
Related News
-
Hacker Linked with European Football Data Leaks Faces Over 100 Charges
- September 23, 2019
- |
- Threat Actors
-
Atlassian patches two critical security flaws
- September 23, 2019
- |
- Malware and Vulnerabilities
Categories
