14 DAY TRIAL // Sijmen Ruwhof, a Dutch security expert, has revealed once again that clueless developers can put their companies in great danger if they don't secure their MongoDB databases.
The researcher penned a blog post yesterday explaining how he was giving a demo about ethical hacking for his alma mater university when he accidentally stumbled upon an unprotected MongoDB database supposedly belonging to nutrition, hygiene, and personal care company Unilever.
Ruwhof quickly realized what he found, steered the hacking demonstration in another direction, and continued to follow up on the subject in his free time.
Exposed data belonged to a conference software maker
Investigating the issue two weeks later, the researcher discovered that the exposed MongoDB database didn't belong to Unilever, but a company called Savvy Congress, which provides software that can be used during conferences to allow people to talk to attendees in real time.
Furthermore, the researcher also discovered that the company was exposing eleven, and not just one MongoDB server, along with a MySQL database.
After attempting to contact the company via phone, he eventually reached them via a written letter. The company admitted their mistake, revealing the servers were older instances of some test development cluster.
The researcher noticed that the data contained in those servers looked to be authentic, but was satisfied with the company securing their servers a week later.
Ruwhof also discovered two additional MongoDB databases, one of which he says belonged to Droisys, a local Dutch financial services firm. The researcher claims that the company hasn't responded to any of his inquiries yet.
Researcher found over 156.6 GB of data
In total, these thirteen passwordless and Internet-available MongoDB servers exposed well over 156.6 GB of data organized in 403 different databases.
As for the matter of unprotected MongoDB databases, MacKeeper security researcher Chris Vickery's findings proved a long time ago that this can be extremely dangerous.
In the past year, Sijmen Ruwhof also uncovered other serious data leaks, like one in the security practices of many Dutch mobile operators, and in the Web server of the Danske Bank.
