After a lot of organizations and spy firms confessing accidental exposure of their data, the recent incident lists an even bigger victim. This time, it is the United Nations that exposed sensitive data publicly. A researcher discovered passwords and other sensitive data leaked online on Google due to an app misconfiguration.
United Nations Leaked Sensitive Data Online
Reportedly, United Nations mistakenly exposed sensitive data on Google due to a misconfigured project management app. The leaked data includes passwords, technical details, and internal documents exposed publicly by Trello, Jira, and Google Docs.
As reported, security researcher, Kushagra Pathak stumbled upon the leaked data about a month ago. He then alerted the U.N. about the data exposure. According to his observation, the exposed data included some explicit information that anyone could access through a simple Google search. The Intercept states,
“The mistakes made sensitive material available online to anyone with the proper link, rather than only to specific users who should have access. Affected data included credentials for a U.N. file server, the video conferencing system at the U.N.’s language school, and a web development environment for the U.N.’s Office for the Coordination of Humanitarian Affairs.”
U.N. Took Down The Leaked Stuff
Kushagra Pathak discovered this U.N. data leak incident last month. After which, he notified the U.N about it on August 20, 2018. Up until September 12, 2018, U.N. officials remained unable to discover the exact vulnerability as stated in their email to Pathak. He continued his communication with the U.N., reporting more sensitive data exposure instances to them.
“In all, he reported 60 Trello boards, several Google Drive and Google Docs links that contained sensitive information, and sensitive information from a public U.N. account on Jira.”
Later, September 13, 2018, onwards, U.N. began taking down the exposed data. The report then surfaced online on September 24, 2018.
Regarding why the U.N. put up the details publicly, Pathak said,
“This way they can share the details present on the board with their team members just by sharing the URL of the board with them without adding them to the board. Adding people to the board seems to be huge task for these people, but in fact, it is really easy.”
Take your time to comment on this article.