A group of students from Saarland University’s Center for IT-Security, Privacy and Accountability (CISPA) have discovered tens of thousands MongoDB databases accessible to remote attackers, including a couple belonging to big companies and containing personal and financial information of millions of their users.
MongoDB is a popular cross-platform, document-oriented NoSQL database, and is used by many major websites and services, including Craigslist, eBay, SourceForge, Viacom, and many others.
For their research, the three students took advantage of Shodan, the scary search engine that indexes all kinds of machines connected to the Internet. They searched for machines with the TCP port 27017 open (TCP port 27017 is the default port used by MongoDB).
“We discovered that MongoDB databases running as a service or Web site backend on several thousand commercial servers are openly available on the Internet. Without any special tools and without circumventing any security measures, we would have been able to get read and write access to thousands of databases, including, e.g., sensitive customer data or live backends of Web shops,” they noted.
Their initial scan revealed 39,890 instances but, as they pointed out, this number is not set in stone, as some providers blocked the scan and some databases are likely honeypots and have consequently been intentionally configured without security measures.
But among the databases they unearthed and could freely access, they discovered a customer database that belongs to a French Internet service provider and mobile phone carrier, containing the addresses and telephone numbers of millions of its customers, and a database of a German online retailer, which also includes payment information.
These companies, their countries’ national offices for information security and CERTs, as well as the developers behind MongoDB have all been notified of this.
But why are there so many accessible MongoDB databases at all? The students chalk it up to insufficiently explicit guidelines about the necessity to activate access control, authentication, and transfer encryption mechanisms; and the fact that the default MongoDB service configuration enables local access only, but as many Internet services run the database on one machine and the services using it on another, the local access default is simply removed and the database server is consequently made to accept network connections from outside the trusted network – and this includes the Internet.