Three students from Saarland University in Germany have discovered that tens of thousands of MongoDB databases running as a service or website backend on commercial servers were exposed on the Internet.
MongoDB is a NoSQL, cross-platform document-oriented database. According to their research, the students found nearly 40,000 instances of MongoDB open on the Internet, including one belonging to a French telecommunications provider that had about 8 million customer entries.
“Without any special tools and without circumventing any security measures, we would have been able to get read and write access to thousands of databases, including, e.g., sensitive customer data or live backends of Web shops,” the students wrote in their report.
The reason for this situation is twofold, the students argue. For one, the defaults of MongoDB are tailored for running it on the same physical machine or virtual machine instances. Second, the documentations and guidelines for setting up MongoDB servers with Internet access may not be sufficiently explicit when it comes to the necessity to activate access control, authentication, and transfer encryption mechanisms, the report contends.
“If a less experienced administrator sets up a MongoDB Web server following those guidelines, it can easily happen that the administrator oversees the importance of activating crucially required security mechanisms,” according to the report. “This will lead to a completely open and vulnerable database that each and everyone can access and, even worse, manipulate.”
MongoDB runs by default on TCP port 27017, the students noted, meaning that an attacker would simply need to run a port scan on the Internet to find openly accessible databases. The databases can also be identified using the Shodan search engine, according to the report.
The students – Jens Heyens, Kai Greshake and Eric Petryka – are also employees at the university’s Center for IT-Security, Privacy and Accountability (CISPA). In a statement, CISPA noted that it is up to MongoDB users to make sure the databases are properly configured.
“This is an example of high profile, enterprise grade technology repeating painful lessons learned from the past, which unfortunately we see all too often,” said Trey Ford, global security strategist at Rapid7, adding that MongoDB’s access control and encryption services should be turned on by default.
“MongoDB wasn’t built in the age of innocence or before widespread Internet adoption,” he continued. “There was a time when server operating systems and services defaulted to being wide open as they were never intended to be exposed to the Internet. This has changed, and if the technology doesn’t change to adapt to Internet usage, the systems will be extremely vulnerable.”
Eliot Horowitz, CTO of MongoDB, blogged that MongoDB takes user security very seriously.
“Security is addressed in detail in our Security Manual,” he wrote. “The Security Checklist discusses limiting network exposure. Note that the method to do this will vary significantly depending on where the service is hosted (AWS, Azure, locally, etc). Additionally, users of MongoDB Management Service (MMS) can enable alerts to detect if their deployment is Internet exposed.”