Hacktivist vuln still plagues UN.org

Still lazy after all these years


The official website of the United Nations has yet to fix a vulnerability that more than two years ago allowed hacktivists to replace official content with their own activist messages.

According to Errata Security CEO Rob Graham, the same SQL injection flaw that plagued the site in August of 2007 remains unfixed now. It's invoked by doing nothing more than adding a stray character to the ASP parameter of a un.org link, such as http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=10'5.

"Despite the fact a high-school intern can fix the bug in 5 minutes, the bureaucracy means that the organization must spend tens of thousands of dollars to fix the bug," Graham wrote. "The other lesson is that the cost of NOT fixing the bug is low. The UN can simply live with the problem, and clean up after every hack."

As The Register reported in 2007, hacktivists used the bug on the UN's Apache-powered website to replace speeches by Secretary-General Ban Ki-Moon with pacifist messages. While that attack appeared to be the work of activist critics of the global organization, it's not a stretch to imagine criminals hacking the site to surreptitiously send visitors to sites that push malicious drive-by exploits.

Messages seeking comment from the UN went unanswered. ®

Broader topics


Other stories you might like

  • Spain, Austria not convinced location data is personal information
    Privacy group NOYB sues to get telcos to respect GDPR data access rights

    Some authorities in Europe insist that location data is not personal data as defined by the EU's General Data Protection Regulation.

    EU privacy group NOYB (None of your business), set up by privacy warrior Max "Angry Austrian" Schrems, said on Tuesday it appealed a decision of the Spanish Data Protection Authority (AEPD) to support Virgin Telco's refusal to provide the location data it has stored about a customer.

    In Spain, according to NOYB, the government still requires telcos to record the metadata of phone calls, text messages, and cell tower connections, despite Court of Justice (CJEU) decisions that prohibit data retention.

    Continue reading
  • Tim Hortons collected location data constantly, without consent, report finds
    Hortons hears a sue

    From May 2019 through August 2020, the mobile app published by multinational restaurant chain Tim Hortons surveilled customers constantly by gathering their location data without valid consent, according to a Canadian government investigation.

    In a report published Wednesday, Office of the Privacy Commissioner (OPC) of Canada and the privacy commissioners from three provinces – Alberta, British Columbia, and Quebec – presented the results of an inquiry that began shortly after the publication of a June 2020 National Post article.

    That article revealed the Tim Hortons app tracked location data every few minutes even when relegated to the background, and the report compiled by Canadian privacy officials confirmed as much.

    Continue reading
  • Behind Big Tech's big privacy heist: Deliberate obfuscation
    You opted out, but you didn't uncheck the box on page 24, so your data's ours...

    Opinion "We value your privacy," say the pop-ups. Better believe it. That privacy, or rather taking it away, is worth half a trillion dollars a year to big tech and the rest of the digital advertising industry. That's around a third of a percent of global GDP, give or take wars and plagues. 

    You might expect such riches to be jealously guarded. Look at what those who "value your privacy" are doing to stop laws protecting it, what happens when a good law  gets through, and what they try to do to close it down afterwards. 

    The best result for big tech is if laws are absent or useless. The latest survey of big tech lobbying in the US reveals a flotilla of nearly 500 salespeople/lawyers touring the US state legislatures, trying to either draw up tech friendly legislation to insert into privacy bills, water then down through persuasion, or just keep them off the books.

    Continue reading
  • TikTok US traffic defaults to Oracle Cloud, Beijing can (allegedly) still have a look
    Alibaba hinted the gig was worth millions each year

    The US arm of Chinese social video app TikTok has revealed that it has changed the default location used to store users' creations to Oracle Cloud's stateside operations – a day after being accused of allowing its Chinese parent company to access American users' personal data.

    "Today, 100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," the company stated in a post dated June 18.

    "For more than a year, we've been working with Oracle on several measures as part of our commercial relationship to better safeguard our app, systems, and the security of US user data," the post continues. "We still use our US and Singapore datacenters for backup, but as we continue our work we expect to delete US users' private data from our own datacenters and fully pivot to Oracle cloud servers located in the US."

    Continue reading

Biting the hand that feeds IT © 1998–2022