14 DAY TRIAL // Administrators of tens of thousands of MongoDB databases around the world failed to enforce any security mechanisms, allowing access outside the backend and exposing information of millions of customers to unauthorized parties.
MongoDB is an open-source, document-oriented database compatible with multiple operating systems. It is a highly popular NoSQL database, used by major websites and services.
Shoda used to identify open MongoDB servers
Three students (Jens Heyens, Kai Greshake and Eric Petryka) studying cyber security at Saarland University in Germany used Shodan search engine for Internet-connected devices to find machines with TCP port 27017 open, which is the default one used by MongoDB.
They relied on a free account in their research and used the readily available filters to identify the unprotected MongoDB servers. Using a specific HTML code, they managed to create a list of IP addresses pointing to vulnerable databases.
These steps were sufficient to allow them access to the Mongo shell using only the external IP address assigned to the machine with the database. Basically, the servers found had no access control mechanisms that would prevent an attacker from getting the information they stored.
The initial port scan returned a total of 39,890 results, but the students say that the number of vulnerable instances is not accurate because some owners had blocked scanning activity for their machines. On the other hand, in some cases, the databases were left open on purpose as they were part of a honeypot setup.
Michael Backes, director of CISPA (Center for IT-Security, Privacy and Accountability), a competence center within Saarland University, says that although the glitch is not a complicated one, “its effect is catastrophic.”
Millions of customer entries exposed
The students say that they managed to take a look at a customer database belonging to an unnamed French telecommunications provider, containing details of about eight million customers.
Information such as names, addresses, emails and credit card numbers could not only be copied but modified as well.
Apart from the data from the French operator, the trio also found info from a German online retailer that exposed payment information belonging to half a million individuals.
The French Data Protection Authority and the Federal Office for Information Security (BSI) in Germany have been notified.
Misconfiguration at fault
The default configuration for MongoDB is to accept requests only from services on the local network, so any connection from outside is rejected automatically.
But a more common setup, the students say in a paper presenting their findings, is to have the database on one machine and the services using it on another. If this approach is used, then the easiest way to allow access to the services is to remove the local access restriction, thus defaulting to accepting connections from any network.
This seems to be the mistake made by the administrators, who also failed to configure access control mechanisms (challenge and response, X.509 certificate, Kerberos and LDAP proxy authentication), which go hand in hand with traffic encryption.
The trio passed their findings to the maintainers of MongoDB in order to integrate them in their revised security instructions for the users.