The company pushing MacKeeper, the security and utility software suite for Macs many consider to be scareware, has confirmed that the database containing passwords and personal information of its 13 million users was accessible to anyone who knew what to look for.
The entry point was unearthed by security researcher Chris Vickery. By submitting a simple Shodan search (find database servers listening for incoming connections on port 27101), he discovered four IP addresses that lead to a MongoDB database belonging to Kromtech, the company that develops and sells MacKeeper.
The database contains the customers’ name, products ordered, license information, public IP address and their user credentials for the customer’s web admin account (usernames and hashed passwords).
“We are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use. We fixed this error within hours of the discovery,” the company announced less than a day after the discovery.
“Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.”
They also made sure to note that all customer credit card and payment information is processed by a third party merchant and was never at risk, and that billing information is not transmitted or stored on any of their servers.
The company made all the usual assurances about keeping their customers’ data safe, but Vickery pointed out that the stored passwords were poorly hashed (MD5 with no salt).
According to Brian Krebs, “Vickery said Kromtech told him its database had been inadvertently exposed as a result of a server misconfiguration that was introduced just last week. But Vickery said he doubts that’s the case, because some of the Shodan records he found that pointed back to Kromtech’s database were dated mid-November 2015.”
“I’ve discovered approximately 25 million exposed accounts’ details for various sites and services over the past 2 weeks,” says Vickery, and he has been sharing his discoveries both with the companies involved and Databreaches.net. Among these were the fact that two apps handling health info had also wide open databases, leaking extremely personal and health information.
These most recent discoveries prompted him to repeat the search again himself, and it showed that there are at least 35,000 publicly available, unauthenticated instances of MongoDB running on the Internet – even more than last time.
Why is this happening? Well, it’s because many are still using older versions of MongoDB – the the open port issue was fixed over a year ago.
But even some of those who use newer versions of MongoDB are changing the default configuration to something less secure, or are using they existing, insecure configuration files, Matherly opines.
He also noted that this problem is not unique to MongoDB, and that Redis, CouchDB, Cassandra and Riak are equally impacted by these sorts of misconfigurations.