600TB of data exposed due to misconfigured MongoDB instances

Shodan, the search engine that lets users find devices connected to the Internet, can be used for a number of different things. As its creator, John Matherly, pointed out, it’s a means to measure things that couldn’t be measured before, and gain new and very muh needed insights.

The latest of these is that there are nearly 30,000 instances of MongoDB on the Internet that don’t have any authorization enabled, i.e. are easily accessible to unauthorized users.

“This was actually a bit surprising since by default MongoDB listens on localhost and has done so for a while,” Matherly noted, and decided to see when that default setting was introduced.

Apparently, the problem was flagged by Roman Shtylman back in 2012, but was resolved only in 2014.

Matherly says that MongoDB 2.4.14, a maintenance release from April 28, 2015, is the last version that still listened on all interfaces and not just on localhost, and that he believes that earlier instances of version 2.6 may have been affected.

But he also found that the majority of public MongoDB instances are operating in a cloud (Digital Ocean, Amazon, Linode and OVH), and that he believes “that cloud images don’t get updated as often, which translates into people deploying old and insecure versions of software.”

“The interesting thing to note when looking at the results is that 40% of the instances are running a very old version of MongoDB (1.8.1),” he noted, and added that, according to his calculations, nearly 600TB of data is exposed due to these databases being publicly accessible.

Matherly is not the first one to warn about publicly exposed MongoDB databases. Earlier this year, a group of students from Saarland University’s Center for IT-Security, Privacy and Accountability (CISPA) conducted a similar search and found tens of thousands MongoDB databases accessible to remote attackers, including several belonging to big companies and containing personal and financial information of millions of their users.

But obviously this earlier revelation didn’t spur many administrators to check whether their database is misconfigured to accept network connections from outside the trusted network. Hopefully, Matherly’s warning will reach at least some.