Hackers can remotely steal any number of fingerprints from Android smartphones

Hackers can remotely steal any number of fingerprints from Android smartphones

Hackers can steal any number of fingerprints remotely without user’s knowledge from Android smartphones

Two FireEye researchers have discovered a new way to steal Android smartphone user’s fingerprints remotely without their knowledge or consent. FireEye researchers Tao Wei and Yulong Zhang have outlined four new ways to attack on Android devices to extract user’s fingerprints.  The researchers will demonstrate the exploit at the Black Hat conference in Las Vegas on Wednesday

The researchers stated that as of now only those smartphones which have fingerprint scanners are vulnerable. So as of now only premium category and flagship smartphones from likes of  Samsung, Huawei, and HTC are vulnerable. The real fear is when the fingerprint scanner technology moves from premium segment to mid range and low budget smartphone segment which is assumed to happen in late 2018.

Of the four attacks outlined by the researchers, one in particular — dubbed the “fingerprint sensor spying attack” — can “remotely harvest fingerprints in a large scale,” Zhang told ZDNet by email.

The researchers confirmed that the exploit worked on HTC One Max and Samsung’s Galaxy S5, allows the hacker to stealthily acquire a fingerprint image from an affected device because device makers don’t fully lock down the sensor.

ZDNet added that the sensor on some devices is only guarded by the “system” privilege instead of root, making it easier to target.  Which meant that rooted Android smartphones were at greater risk.

Scaringly once the hacker has gained entry via the attack, the fingerprint sensor can continue to quietly collect fingerprint data on anyone who uses the sensor and remotely send it back to the hacker, giving him unlimited harvest of fingerprints.

“In this attack, victims’ fingerprint data directly fall into attacker’s hand. For the rest of the victim’s life, the attacker can keep using the fingerprint data to do other malicious things,” Zhang said.

Zhang and his partner have alerted the smartphone makers and the manufacturers have since patched their smartphones against this vulnerability. However the researchers have neither named the makers nor whether the patch has reached the end user. They also have not commented on which vendor is most vulnerable from the vulnerability.

Regarding applying the same vulnerability to Apple’s iPhone, Zhang said it is quite secure. The iPhone which essentially pioneered the fingerprint scanner to unlock a smartphone, encrypts fingerprint data from the scanner.

“Even if the attacker can directly read the sensor, without obtaining the crypto key, [the attacker] still cannot get the fingerprint image,” he said.

With biometrics exploding and being adapted for almost everything from gate access, passports, banking etc., the problem isn’t just limited to mobile devices.

read more

Save your Chrome, Firefox and Safari Browser From Favicon Bug

A 10GB+ Favicon Bug Icon Keeps Downloading Until It Crashes Your Web Browser

A 10GB+ Favicon Bug Icon Keeps Downloading Until It Crashes Your Web Browser

Andrea De Pasquale, security analyst and software developer recently spotted a bug that can actually crash Firefox and Chrome browsers. The small little icon termed as Favicon can actually crash your web browser apparently if you attempt to download files more than 10GB. The favicon icon is usually only a few kilobytes in size.

Andrea De Pasquale posted a tweet saying,

“Weird 64MB favicon.ico turning out to be a TAR backup of the whole WP site, downloaded by every browser passing by.”

This creepy bug makes Chrome and Firefox download the huge favicon files to the point till they crash the browser. The silliest part is that the users are not at all aware of this download as it is all done in the background and who is truly to be blamed for this.

Favicon is an icon or a symbol image of a website, which is shown on the top left corner of the web browser. A Favicon is precisely 16X16 in size, but it looks like the bug has come from a favicon file which is incorrectly sized.

In more thorough tests performed by Benjamin Gruenbaum, a Google Chrome browser before crashing managed to download up to 10GB of a favicon file. In other words, it means that it could download up to two DVDs along with some information before finally taking over the browser and crashing it down.

The bug was reproduced with both touch-icon and favicon files, which indicated that both mobile and desktop browsers are vulnerable to it.

Safari and Firefox browsers are also susceptible to this. However, the good news is that Firefox has already corrected this issue in less than two days. Also, a patched version will be available with its next update.

Technically, the existence of this bug is no surprise, as there is no rule of standard anywhere which states that the favicon files have to be below a specified limit.

As a matter of fact, the favicon files need not have to be .ico files. A lot of GIF, PNG or JPEG files are used with popular websites, and there are no limitations linked to the file’s extension.

Initially discovered by De Pasquale, the bug was spotted when he went into a website that sent a WordPress backup .tar file instead of the favicon.

This implies that as browsers do not perform any kind of security checks, you can pass any type of file as your favicon with the trust that the website’s developers do not deliver anything “else” (to be read as “dangerous”).

Hopefully, the bug issue is expected to be fixed soon, as reports have been filed with all three browsers. In the meanwhile, it is just another illustration of how computers are not just one of the most powerful tools we have, but also lacks common sense.

read more

Security researcher discovers a backdoor to Dell’s Helper app

A serious bug has been detected by a security researcher in the Dell System Detect software provided by Dell.

A serious bug has been detected by a security researcher in the Dell System Detect software provided by Dell.

Dell users are recommended to use a software known as “Dell System Detect” to download the correct drivers for their machine. Dell users might be very much familiar with a “Dell Support Page” which helps user to get all the latest drivers for their machine. Now users can configure their machine from this site by entering the Dell Service Tag, which can be either found on a sticker somewhere on user’s machine or through clicking the shiny blue “Detect Product” button. Once the button is clicked it prompts user to download and install the “Dell System Detect” program, this is used to auto fill the service tag input and then user can see the relevant drivers for their machine.

However, security researcher Tom Forbes discovered a serious flaw in this software of Dell which may help the attackers by providing a backdoor to enter the target computer. With the help of this backdoor the hackers and cyber crooks will be able to attack the target computer by executing malicious files.

In his blog Tom Forbes says: “While investigating this rather innocuous looking program I discovered that it accepts commands by listening for HTTP requests on localhost:8884 and that the security restrictions Dell put in place are easily bypassed, meaning an attacker could trigger the program to download and install any arbitrary executable from a remote location with no user interaction at all.” Forbes had informed Dell privately about this flaw in their software in November 2014 and Dell had immediately took steps to fix this bug. Forbes received an intimation that Dell’s Internal Assessment team is investigating on the issue. By January 2015 Dell informed Forbes that they have fixed the issue by “introducing additional validation and obfuscation”.

Forbes says that the PoC bug which he had discovered seems to have been fixed however he was still doubtful regarding the quality of this validation provided by Dell. Forbes feels that Dell simply changed the  ‘if dell in referrer’ to ‘if dell in referrer domain name’ hence now it may be a bit harder for the cyber crooks to exploit however there are chances as the software is not fool proof. Also in an interview Forbes told El Reg: “An attacker could trigger the program to download and execute an arbitrary file without any user interaction” He also added: “The little ‘Dell Service Tag Detector’ program that they push people to download on the website does a lot more than just detect service tags – it gives Dell access to your entire machine, allowing them to download and install software and collect system information without you knowing.”

When El Reg asked Dell about this Dell said: “We take very seriously any issues that may impact the integrity of our products or customer security and privacy. Dell does not work with any government to compromise our products to make them vulnerable for exploit, including through ‘software implants’ or so-called ‘backdoors’.”

Forbes initially informed Dell in private and the matter was fixed within a span of two months and its just a couple of days back on March 23rd that Forbes made this issue public. As of now it does seem that the backdoor could possibly be unintentional and users can still use Dell System Detect software to update their machine to the latest version.

read more

Flaws in Telegram, the secure messaging App expose Secret Chat messages

Flaws in Telegram, the secure messaging App expose Secret Chat messages

Telegram cross-platform messaging flaws allow hackers to bypass encryption and access user messages

Apparently the Secret Chat feature of Telegram saves messages in plain text in the memory dump

Is Telegram secure? not any more! Telegram cross-platform messaging App which was hailed as the most secure messaging App by Electronic Frontier Foundation, has been found to be not so secure after all.

Researchers from security firm Zimperium have discovered that Telegram can be hacked by cyber criminals in two ways.  Zimperium’s founder and CTO stated on Zimperium blog that after conducting research on Telegram App, the researcher have found that there are at least two methods that can be leveraged to bypass encryption and obtain messages.

Telegram has around 55 million active users around the world and has a Secret Chat feature for a one on one private and secure chat between two users.  Secret Chat works by giving encryption and decryption keys to the receiver and sender, thus making it most secure.  EFF in its December secure messaging Apps audit and review had given maximum score to the Telegram’s Secret Chat feature.

Telegram cross-platform messaging flaws allow hackers to bypass encryption and access user messages
EFF score for Secret Chat

According the Avraham, Telegram is vulnerable to the potential hacker gaining complete control of the targeted Android smartphone installed with Telegram App, by leveraging a kernel exploit to elevate privileges. Once the attacker is in control of the smartphone, he can dump process memory and gain access to any file stored on the device.

Zimperium researchers noticed that Telegram Secret Chat messages are stored in the Telegram memory dump in plain text and easily accessible to the hackers.

/Flaws in Telegram, the secure messaging App expose Secret Chat messages


The researchers further discovered that a database file (Cache4.db) containing tables that store the secret messages is also in plain text. While Telegram users can delete their messages using a special function, the deleted messages can still be retrieved from the process memory, Avraham stated.

“While Telegram was founded upon a noble goal of providing privacy to consumers everywhere at no cost, they have fallen short of their objective by focusing purely on data-in-transit versus protecting data-at-rest on the mobile device itself. What is regrettable is that I approached Telegram multiple times and have yet to receive a response,” Avraham explained in a blog post.  “Telegram’s so-called powerful encryption is not protecting users any better than any other page or app that uses SSL. If you are using Telegram because you want to ensure your privacy and the privacy of the messages you are sending, be aware that it will not stop sophisticated hackers from reading your messages. We highly recommended adding additional protection to your mobile device that can detect device-level cyberattacks.”

Telegram cross-platform messaging flaws allow hackers to bypass encryption and access user messages

Avraham said Zimperium made the vulnerability public after the expiry of 30 day disclosure guidelines and in the absence of any reply from Telegram about the flaw. Telegram is yet to come out with a statement about the flaw.

read more

Hackers can steal data with Masque Attack II hack of Apple’s iPhone and iPad

Hackers can steal data with Masque Attack II hack of Apple's iPhone and iPad

Masque Attack II: Another major flaw has been detected in Apple iOS which can lead to data theft of the enterprise users.

In November 2014, researchers at Fire Eye, identified a “Masque Attack” that can be used by attackers to replace a genuine App with another malware laden one using SMS, email or web browsing. Apple seems to have fixed this issue in the iOS 8.1.3. Now, FireEye researchers have discovered a new but which can be doubly dangerous than Masque.  Aptly named as Masque II by FireEye researchers, they have warned that this bug can be exploited to hack iPhones and iPads.

Masque II : Hijack of the URL

FireEye researchers have noted that Masque Attack II comprises of 2 parts:

a) Bypasses Prompt for Trust and,

b) URL Scheme Hijacking.

Hui Xue and his team of researchers have contended that iOS 8.1.3 is fortified against the “Prompt Bypass” and is still vulnerable against the “iOS URL scheme hijacking”.

We will try to understand this in simple terms.

1) Bypasses Prompt for Trust: Whenever user clicks on any link in SMS or any emails or even in Google Inbox; Apple iOS will launch the target enterprise-signed app without asking for user’s permission. Usually if user downloads a particular app from the App store for the first time then a prompt pops up asking for “Trust” or “Don’t Trust”. In this case since user has clicked for the link through URL scheme, the app will be directly downloaded without the prompt.

In the cases that FireEye studied, even though user had earlier clearly said “Don’t Trust” to some untrusted app, iOS ignored the prompt and downloaded the app. Fire Eye has brought this issue to the notice of Apple.

According to FireEye’s article: “An attacker can leverage this issue to launch an app containing a Masque Attack. Hijackers can distribute an enterprise-signed malware that registers app URL schemes identical to the ones used by legitimate popular apps and thus hijack legitimate apps’ URL schemes and mimic their UI to carry out phishing attacks, e.g. stealing the log in credentials”. Apple iOS cannot protect its users against this because the attack would be at the prompt level.

2) URL Scheme Hijacking: This is more of a feature issue than the malware attack. It was seen that Apple iOS allows apps from different developers to share the same URL schemes. Again as per the researchers at FireEye: “Attackers can either publish an “aggressive” app into the App Store, or craft and distribute an enterprise-signed/ad-hoc malware that registers app URL schemes identical to the ones of legitimate popular apps. Through this, attackers can mimic a legitimate app’s UI to carry out phishing attacks to steal login credentials or gather data intended to be shared between two trusted apps.” Now this in simplified terms means that the users may end up downloading malicious app as per hijackers intention instead of the legitimate one which may than steal personal and financial information of the iPhone/iPad user.

According to the FireEye team  of Messieurs Hui Xue, Zhaofeng Chen, Song Jin, Yulong Zhang and Tao Wei, iPhone and iPad users need to be more careful against the Masque Attack II as it has not been mitigated yet.

Probable remedy suggested to the Apple iOS users :

  • Update their device to 8.1.3 version ASAP
  • Whenever users get any link in SMS or Emails or some website then be careful as it may download malwares.

FireEye says it disclosed the vulnerability publicly as Apple chose to ignore their private disclosure. You can see the Proof-of-Concept video below :

read more

Stock Google Email App for Android Vulnerable to Hacking

Stock Google Email App for Android Vulnerable to Hacking

Stock Google Email App Version 4.2.2 for Android vulnerable to remote code execution : CVE-2015-1574

If you are using the stock Google Email App for Android on your smartphone you could probably be handing over the control of your smartphone to a potential hacker. Researchers Hector Marco and Ismael Ripol have discovered a vulnerability in the stock Google email app version which can allow potential hacker to remotely execute Denial of Service (DoS) attack with a specially crafted email.

In plain English this means that a specially crafted email sent to the App can crash the email App.

The vulnerability has been assigned CVE-2015-1574 and is deemed critical.  “No interaction from the user is needed to produce the crash just receive the malicious email,” the researchers stated on HMarco blog.

The vulnerability

The bug appears because an incorrect handling of the Content-Disposition header by Google Email App.  If an potential hacker sends a specially crafted email to the victim, the incorrect Content-Disposition header can cause the App to crash.  The malformed header which causes the crash is :

Content-Disposition: ;

Whereas the correct Content-Disposition header should be :

Content-Disposition: attachment; filename=genome.jpeg;

So whenever the victim receives the malicious email, the application will crash while trying to download the email. The effect can be looping crash of the App, as every time the email App will attempt to open the email sent by hacker before the user can do anything. In effect, the App will be unusable till the offending email is removed by the user using other means like desktop email/Google Invite.

“Since the application crashes immediately, to remove the malicious email is a little bit tricky. The easiest and straightforward way to remove it is by using other email client (or via web) from the inbox at the email server. Another way is by disabling the internet connection (Airplane mode) before launching the email reader, and then you can remove the offending email,” the researchers stated on their blog.

The removal of the malicious email will however not prevent the hackers from sending similar mails and crashing the App again.

Proof of Concept (PoC)

To successfully exploit this vulnerability the attacker only needs to send an email to the victim with an empty Content-Disposition followed by a semicolon.

The researchers have written a simple python script which sends the crafted email to a target email user.

Email Android Google crasher
Author: Hector Marco

$ ./ -s [email protected] -r [email protected]
[+] Sending crafted message to: [email protected]
[+] Malicious email successfully sent.

The researchers stated that they tested the vulnerability on the App on Samsung Galaxy S4 Mini but have warned that this particular version is used by many smartphone users as default email App.

Stock Google Email App for Android Vulnerable to Hacking


The researchers stated that the simplest fix is to update the App version to or higher.

However they added that updating is not possible in all cases.

For instance, current Samsung Galaxy 4 mini fully updated (17 Jan 2015) is vulnerable to this attack and not higher versions to are available after update the system from “Software updates,” the researchers stated.

Users using rooted Android smartphones can however bypass the official update channel and update their App.  Another fix is to download the APK and install it on your smartphone.

You can access the PoC written by the researchers here (Python).

read more

Google’s Project Zero gets tough on companies with lax security patch policies

Google Project Zero

Google Inc. has a elite team of hackers and programmers called Project Zero so named after the “zero day” security flaws that are exploited before developers learn of them.

Project Zero scrubs their own and competitors’ software for security flaws, giving companies a deadline, more specifically a 90 day ultimatum to patch their software vulnerabilities or they will make them public knowledge.

In an effort to “motivate” competitors like Microsoft Corp. and Apple Inc. to fix their buggy software before the real cyber criminals take advantage of the flaws in their unpatched code. Of course, both Microsoft and Apple are not keen on this.

Opponents of Google’s Project Zero’s practice say it puts online security at risk by revealing gaps before they can be plugged. Of course, hackers in the know work fast to purposefully exploit software flaws when they become known.

Consider when the Chinese-backed intruders exploited a Web-security flaw known as Heartbleed to attack Community Health Systems Inc. after only a week after the software flaw was publicized.

Even, Apple pleaded with Google to wait before going public so it could fix their flaws in the Mac OS X operating system. Google knew the fix was coming and had possession of the updated source software because they also served as a developer for Apple at the time. Google refused and released any details to the public of the flaws. Microsoft, also, requested additional time to fix a flaw in their Windows OS. Google, again, refused and publicized the bug.

Google supporters say the Project Zero’s 90 day hard-line approach may motivate the software industry to focus on better security patching practices in which companies can take months or years to patch their bugs.

To date, Google’s Project Zero has identified 39 vulnerabilities in Apple products and 20 in Microsoft products. The team also has found 37 flaws in Adobe Systems Inc. software and 22 in the FreeType software development library for rendering fonts..

It is a good thing for consumers that Google’s Project Zero has taken the role of patch it or we’ll report it task master as many of these companies products can leave users vulnerable to hacks that can create more grief and deeper problems if they are not put in check.

Project Zero just drew the line in the sand, how the effected companies react to this will determine what products you can really trust with your data in the future.

read more

Windows Security Bypassed by Modifying a Single Bit by Researchers

Windows operating systems security from XP to current version Window 10 can be bypassed with a single bit

Windows operating systems security from XP to current version Window 10 can be bypassed with a single bit

Microsoft on Tuesday released privilege escalation vulnerability in its security bulletins which according to researchers, can be exploited by malicious actors to bypass all the security measures in Windows operating system by modifying a single bit.

Microsoft says that an attacker who manages to log in to the targeted system can “gain elevated privileges and read arbitrary amounts of kernel memory,” which would allow them to install software, view and change data, and create new accounts with full administrative rights.

Udi Yavo, the chief technology officer at the security firm Ensile says that “The vulnerability (CVE-2015-0057) is rated as “important,” which could give attackers total control of the victims’ machines.”

Yavo further said that “A threat actor that gains access to a Windows machine (say, through a phishing campaign) can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomization.”

Yavo continued, “Interestingly, the exploit requires modifying only a single bit of the Windows operating system.”

The flaw existed in the graphical user interface (GUI) component of the Win32k.sys module within the Windows Kernel which, among other things, manages vertical and horizontal Windows’ scroll bars. The flaw actually resides in the xxxEnableWndSBArrows function which could alter the state of both scroll bars through a call.

The exploit works on all versions of the operating system, from Windows XP to the 64-bit version of the latest Windows 10 Technical Preview (with protections enabled). The attack method can be used to bypass kernel protections such as Kernel Data Execution Prevention (DEP), Kernel Address Space Layout Randomization (KASLR), Mandatory Integrity Control (MIC), Supervisor Mode Execution Protection (SMEP), and NULL deference protection, the researcher said.

“We have shown that even a minor bug can be used to gain complete control over any Windows Operating System,” Yavo said. He also commented that Microsoft efforts to make the its operating system more secure has raised the bar significantly and made writing reliable exploits far harder than before. Unfortunately, these methods are not going to stop attackers. We predict that attackers will continue incorporating exploits into their crime kits, making compromise inevitable.”

Th researchers have also published a PoC video demonstrating the vulnerability, though it doesn’t actually disclose any sensitive code, but shows the privilege escalation exploitation on a machine running 64-bit Windows 10 Technical Preview.

Microsoft’s patch issues are nothing new,before this, In January, Bromium security researcher Jared DeMott demonstrated that the Heap Isolation and Delay Free mitigations can be bypassed.

CVE-2015-0057 is not the only interesting vulnerability patched by Microsoft on Tuesday. The company has also released updates for a critical remote code execution flaw (CVE-2015-0008) caused due to the way Group Policy receives and applies policy data when a domain-joined system connects to a domain controller. On the other hand, Microsoft still hasn’t addressed a recently disclosed universal cross-site scripting (UXSS) vulnerability affecting Internet Explorer.

read more

Hackers can use RFID readers to steal payment card numbers while you are in public

rfid card

New credit cards with embedded RFID chips can pose a problem with security and identity theft

A team of cyber security researchers have revealed that hackers can mobile technology to use to steal credit and debit numbers from you while you’re in public. The cards at risk are enabled with radio technology that allows you to “wave and pay.”

Its as though while you are ‘waving and paying’ a hacker lurking in vicinity is secretly reading your payment card numbers and storing them. While you are unaware of such a risk, you may receive a 440 volts shock to see unknown payments at the end of the payment cycle in your billing statement.

Radio frequencies are all over the place but the frequency most smart cards (i.e. newer debit and credit cards) are in the range of 13.56 MHz (HF) the range can be detected between 10 centimeters – 1 meter (around 2 feet max).

If you have these newer cards, currently an attacker can only obtain the card number and the expiration date, not the three digit CVV security number which are required for some purchases. However it should be noted that a card number and expiration date could be put onto dummy cards and used at certain point of sale terminals that only require you to pass the card over the terminal for a payment (without the CVV requirement).

More and more of these RFID radio tags are placed into other documents including passports, employee badges which may hold more information and create potentially more problems when cloned especially in the case of employee badges which will allow access to secure buildings and the like.

So far the only known defense against these types of attacks are to create a “Faraday Cage” around the card (usually in the form of aluminum foil, or lining your pocket or wallet with a similar substance).

If you are victimized most cards like MasterCard, Visa, and debit cards have policies that say you’re not liable for any fraudulent transactions and you can be made whole, however this can take several days or weeks sometimes to get money back which has been stolen from your checking or debit card.

If you like the idea of mobile payments for now Apple Pay or Paypal can be viable alternatives since your actual card numbers are not stored on your iPhone or smart device and do not have any RFID.

read more

Major security alert as 40,000 MongoDB databases left unsecured

Major security alert as 40,000 MongoDB databases left unsecured

More than 40,000 MongoDB databases are floating around on the Internet, present major threat to stakeholders

The NoSQL company MongoDB sufffered a major setback today when a group of students from Saarland University in Germany, found out that nearly 40,000 databases were accessible online due to the lack of security mechanisms in these databases. One of these alone includes around 8 million customer phone numbers and addresses.

The 3 Musketeers

These 3 students – Jens Heyens, Kai Greshake and Eric Petryka – from Saarland University in Germany were behind the discovery that databases running as a service or those being used as a website backend could be accessed by anyone on the internet and gain read and write access to them.

“Without any special tools and without circumventing any security measures, we would have been able to get read-and-write access to thousands of databases, including sensitive customer data [and] live backends of web shops,” the students wrote.

Their view is that these mechanisms were not put in place as the tutorials and guidelines do not mention them specifically.

Organisations that set up MongoDB web servers following these guidelines are likely to have overseen the importance of activating security mechanisms and left the databases open for access on the internet. After doing a simple search the number of database instances vulnerable that they found were 39,890. This number though, could be much more higher as major corporations block such scans and searches.

MongoDB  by default executes on TCP port 27017, so anyone would simply need to run a port scan on the internet to find openly accessible databases, according to the students, who said it was ‘incredibly easy’ and could be achieved within four hours. They also mentioned about a search engine Shodan, which has a database containing IP addresses with a list of services running and an easy-to-use filter mask.

Lack of acknowledgment

“The fault is not complicated, but its effect is catastrophic,” said Michael Backes, professor of information security and cryptography at Saarland University and director of CISPA, who was contacted by the students at the end of last month. The students informed the French Data Protection Authority (CNIL), the Federal Office for Information Security and MongoDB so that the affected database owners could be notified. But the anger is not because of the flaw, it is being fuelled by the lack of acknowledgement of the existence of the flaw.

Dent in the growth

This revelation will cause a dent to the growth story of NoSQL systems, which have in recent years challenged the use of relational databases with the prowess of handling greater data sets with better efficiency. As the leading open-source document database, MongoDB is at the center of this trend with several major websites and services integrating it for their backend. This security alert is likely to be a setback for the company, which last month was valued at $1.6 billion after a new round of funding from investors.

“Readers who are concerned about access to their systems are reminded of the following resources: the most popular installer for MongoDB (RPM) limits network access to local host by default; security is addressed in detail in our security manual; the method to do this will vary significantly depending on where the service is hosted; and users of MongoDB Management Service (MMS) can enable alerts to detect if their deployment is internet exposed. “We encourage users who have experienced a security incident for MongoDB to create a vulnerability report”

read more