Security Experts:

Connect with us

Hi, what are you looking for?



Thousands of MongoDB Databases Found Exposed on the Internet

Three students from Saarland University in Germany have discovered that tens of thousands of MongoDB databases running as a service or website backend on commercial servers were exposed on the Internet.

Three students from Saarland University in Germany have discovered that tens of thousands of MongoDB databases running as a service or website backend on commercial servers were exposed on the Internet.

MongoDB is a NoSQL, cross-platform document-oriented database. According to their research, the students found nearly 40,000 instances of MongoDB open on the Internet, including one belonging to a French telecommunications provider that had about 8 million customer entries.

“Without any special tools and without circumventing any security measures, we would have been able to get read and write access to thousands of databases, including, e.g., sensitive customer data or live backends of Web shops,” the students wrote in their report.

The reason for this situation is twofold, the students argue. For one, the defaults of MongoDB are tailored for running it on the same physical machine or virtual machine instances. Second, the documentations and guidelines for setting up MongoDB servers with Internet access may not be sufficiently explicit when it comes to the necessity to activate access control, authentication, and transfer encryption mechanisms, the report contends.

“If a less experienced administrator sets up a MongoDB Web server following those guidelines, it can easily happen that the administrator oversees the importance of activating crucially required security mechanisms,” according to the report. “This will lead to a completely open and vulnerable database that each and everyone can access and, even worse, manipulate.”

MongoDB runs by default on TCP port 27017, the students noted, meaning that an attacker would simply need to run a port scan on the Internet to find openly accessible databases. The databases can also be identified using the Shodan search engine, according to the report.

The students – Jens Heyens, Kai Greshake and Eric Petryka – are also employees at the university’s Center for IT-Security, Privacy and Accountability (CISPA). In a statement, CISPA noted that it is up to MongoDB users to make sure the databases are properly configured.

“This is an example of high profile, enterprise grade technology repeating painful lessons learned from the past, which unfortunately we see all too often,” said Trey Ford, global security strategist at Rapid7, adding that MongoDB’s access control and encryption services should be turned on by default.

“MongoDB wasn’t built in the age of innocence or before widespread Internet adoption,” he continued. “There was a time when server operating systems and services defaulted to being wide open as they were never intended to be exposed to the Internet. This has changed, and if the technology doesn’t change to adapt to Internet usage, the systems will be extremely vulnerable.”

Eliot Horowitz, CTO of MongoDB, blogged that MongoDB takes user security very seriously.

“Security is addressed in detail in our Security Manual,” he wrote. “The Security Checklist discusses limiting network exposure. Note that the method to do this will vary significantly depending on where the service is hosted (AWS, Azure, locally, etc). Additionally, users of MongoDB Management Service (MMS) can enable alerts to detect if their deployment is Internet exposed.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet