More than 40,000 MongoDB databases are floating around on the Internet, present major threat to stakeholders
The NoSQL company MongoDB sufffered a major setback today when a group of students from Saarland University in Germany, found out that nearly 40,000 databases were accessible online due to the lack of security mechanisms in these databases. One of these alone includes around 8 million customer phone numbers and addresses.
The 3 Musketeers
These 3 students – Jens Heyens, Kai Greshake and Eric Petryka – from Saarland University in Germany were behind the discovery that databases running as a service or those being used as a website backend could be accessed by anyone on the internet and gain read and write access to them.
“Without any special tools and without circumventing any security measures, we would have been able to get read-and-write access to thousands of databases, including sensitive customer data [and] live backends of web shops,” the students wrote.
Their view is that these mechanisms were not put in place as the tutorials and guidelines do not mention them specifically.
Organisations that set up MongoDB web servers following these guidelines are likely to have overseen the importance of activating security mechanisms and left the databases open for access on the internet. After doing a simple search the number of database instances vulnerable that they found were 39,890. This number though, could be much more higher as major corporations block such scans and searches.
MongoDB  by default executes on TCP port 27017, so anyone would simply need to run a port scan on the internet to find openly accessible databases, according to the students, who said it was ‘incredibly easy’ and could be achieved within four hours. They also mentioned about a search engine Shodan, which has a database containing IP addresses with a list of services running and an easy-to-use filter mask.
Lack of acknowledgment
“The fault is not complicated, but its effect is catastrophic,” said Michael Backes, professor of information security and cryptography at Saarland University and director of CISPA, who was contacted by the students at the end of last month. The students informed the French Data Protection Authority (CNIL), the Federal Office for Information Security and MongoDB so that the affected database owners could be notified. But the anger is not because of the flaw, it is being fuelled by the lack of acknowledgement of the existence of the flaw.
Dent in the growth
This revelation will cause a dent to the growth story of NoSQL systems, which have in recent years challenged the use of relational databases with the prowess of handling greater data sets with better efficiency. As the leading open-source document database, MongoDB is at the center of this trend with several major websites and services integrating it for their backend. This security alert is likely to be a setback for the company, which last month was valued at $1.6 billion after a new round of funding from investors.
“Readers who are concerned about access to their systems are reminded of the following resources: the most popular installer for MongoDB (RPM) limits network access to local host by default; security is addressed in detail in our security manual; the method to do this will vary significantly depending on where the service is hosted; and users of MongoDB Management Service (MMS) can enable alerts to detect if their deployment is internet exposed. “We encourage users who have experienced a security incident for MongoDB to create a vulnerability report”
Absolute bollocks, this is a case of a severe lack of common sense from the people caught. As a devops/sysadmin sets up any database system, they should be asking about security, 3 extremely simple things spring to mind – password protect, firewall and change the default port.