Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Thousands of MongoDB Databases Found Exposed on the Internet

Three students from Saarland University in Germany have discovered that tens of thousands of MongoDB databases running as a service or website backend on commercial servers were exposed on the Internet.

Three students from Saarland University in Germany have discovered that tens of thousands of MongoDB databases running as a service or website backend on commercial servers were exposed on the Internet.

MongoDB is a NoSQL, cross-platform document-oriented database. According to their research, the students found nearly 40,000 instances of MongoDB open on the Internet, including one belonging to a French telecommunications provider that had about 8 million customer entries.

“Without any special tools and without circumventing any security measures, we would have been able to get read and write access to thousands of databases, including, e.g., sensitive customer data or live backends of Web shops,” the students wrote in their report.

The reason for this situation is twofold, the students argue. For one, the defaults of MongoDB are tailored for running it on the same physical machine or virtual machine instances. Second, the documentations and guidelines for setting up MongoDB servers with Internet access may not be sufficiently explicit when it comes to the necessity to activate access control, authentication, and transfer encryption mechanisms, the report contends.

“If a less experienced administrator sets up a MongoDB Web server following those guidelines, it can easily happen that the administrator oversees the importance of activating crucially required security mechanisms,” according to the report. “This will lead to a completely open and vulnerable database that each and everyone can access and, even worse, manipulate.”

MongoDB runs by default on TCP port 27017, the students noted, meaning that an attacker would simply need to run a port scan on the Internet to find openly accessible databases. The databases can also be identified using the Shodan search engine, according to the report.

The students – Jens Heyens, Kai Greshake and Eric Petryka – are also employees at the university’s Center for IT-Security, Privacy and Accountability (CISPA). In a statement, CISPA noted that it is up to MongoDB users to make sure the databases are properly configured.

“This is an example of high profile, enterprise grade technology repeating painful lessons learned from the past, which unfortunately we see all too often,” said Trey Ford, global security strategist at Rapid7, adding that MongoDB’s access control and encryption services should be turned on by default.

“MongoDB wasn’t built in the age of innocence or before widespread Internet adoption,” he continued. “There was a time when server operating systems and services defaulted to being wide open as they were never intended to be exposed to the Internet. This has changed, and if the technology doesn’t change to adapt to Internet usage, the systems will be extremely vulnerable.”

Eliot Horowitz, CTO of MongoDB, blogged that MongoDB takes user security very seriously.

“Security is addressed in detail in our Security Manual,” he wrote. “The Security Checklist discusses limiting network exposure. Note that the method to do this will vary significantly depending on where the service is hosted (AWS, Azure, locally, etc). Additionally, users of MongoDB Management Service (MMS) can enable alerts to detect if their deployment is Internet exposed.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.