Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Thousands of MongoDB Databases Found Exposed on the Internet

Three students from Saarland University in Germany have discovered that tens of thousands of MongoDB databases running as a service or website backend on commercial servers were exposed on the Internet.

Three students from Saarland University in Germany have discovered that tens of thousands of MongoDB databases running as a service or website backend on commercial servers were exposed on the Internet.

MongoDB is a NoSQL, cross-platform document-oriented database. According to their research, the students found nearly 40,000 instances of MongoDB open on the Internet, including one belonging to a French telecommunications provider that had about 8 million customer entries.

“Without any special tools and without circumventing any security measures, we would have been able to get read and write access to thousands of databases, including, e.g., sensitive customer data or live backends of Web shops,” the students wrote in their report.

The reason for this situation is twofold, the students argue. For one, the defaults of MongoDB are tailored for running it on the same physical machine or virtual machine instances. Second, the documentations and guidelines for setting up MongoDB servers with Internet access may not be sufficiently explicit when it comes to the necessity to activate access control, authentication, and transfer encryption mechanisms, the report contends.

“If a less experienced administrator sets up a MongoDB Web server following those guidelines, it can easily happen that the administrator oversees the importance of activating crucially required security mechanisms,” according to the report. “This will lead to a completely open and vulnerable database that each and everyone can access and, even worse, manipulate.”

MongoDB runs by default on TCP port 27017, the students noted, meaning that an attacker would simply need to run a port scan on the Internet to find openly accessible databases. The databases can also be identified using the Shodan search engine, according to the report.

The students – Jens Heyens, Kai Greshake and Eric Petryka – are also employees at the university’s Center for IT-Security, Privacy and Accountability (CISPA). In a statement, CISPA noted that it is up to MongoDB users to make sure the databases are properly configured.

“This is an example of high profile, enterprise grade technology repeating painful lessons learned from the past, which unfortunately we see all too often,” said Trey Ford, global security strategist at Rapid7, adding that MongoDB’s access control and encryption services should be turned on by default.

Advertisement. Scroll to continue reading.

“MongoDB wasn’t built in the age of innocence or before widespread Internet adoption,” he continued. “There was a time when server operating systems and services defaulted to being wide open as they were never intended to be exposed to the Internet. This has changed, and if the technology doesn’t change to adapt to Internet usage, the systems will be extremely vulnerable.”

Eliot Horowitz, CTO of MongoDB, blogged that MongoDB takes user security very seriously.

“Security is addressed in detail in our Security Manual,” he wrote. “The Security Checklist discusses limiting network exposure. Note that the method to do this will vary significantly depending on where the service is hosted (AWS, Azure, locally, etc). Additionally, users of MongoDB Management Service (MMS) can enable alerts to detect if their deployment is Internet exposed.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.