Students find 40k unprotected MongoDB databases, 8 million telco customer records exposed

Students claim to have found nearly 40,000 instances of the popular NoSQL database MongoDB running open on the internet, including one they suspect belongs to an unnamed French telco containing 8 million customer records.

MongoDB is the maker a hugely popular NoSQL database for web applications and services, which only last month landed an $80m in funding and counts Facebook, Salesforce, Expedia, Adobe, Goldman Sachs among the 34 of the Fortune 100 customers it has. But it also appears to have thousands of customers who aren’t securing their databases properly, leaving them open for anyone on the internet to tamper with.  

The unsecured databases were uncovered by three students at the Centre for IT-Security, Privacy and Accountability (CISPA) at Saarland University, Germany.

The three students Kai Greshake, Eric Petryka and Jens Heyens said they were able to get “read and write access” to the unsecured databases “without any special tools” and have released a report detailing how MongoDB admins should tighten up security.

They also detailed how an attacker could find vulnerable MongoDB instances by either running a port scan for TCP port 27017, the default for MongoDB. Meanwhile, “not so tech-savvy attackers” could identify unsecured MongoDB instances by using the search engine Shodan, with the help of a snippet of HTML code they’d developed to search for exposed databases.

One of the databases they found is suspected to belong to a French ISP and mobile operator, which contained the addresses and telephone numbers of eight million customers, according to the students.

A CISPA spokesperson declined to name the provider when contacted by CSO Australia.

The students said they have reported the issue to French data protection authority, Commission nationale de l'informatique et des libertés (CNIL).
They first reported their finding at the end of January to Michael Backes, a professor of information security and cryptography at Saarland University and director of CISPA.

“It is not a complex bug, but its effect is disastrous”, said Backes. “A database unprotected like this is similar to a public library with a wide open entrance door and without any librarian. Everybody can enter.”

Read more: Emerging technologies: Is this your company's biggest challenge?

To be clear though, the researchers haven’t found a flaw in MongoDB, so the maintainers of the database won’t be issuing a patch. However, the researchers do claim to have found a common error in the way admins may be configuring their databases. 

The main problem the students identified lies in default configurations that in some circumstances may require the admin to set up access controls.

“A common setup and scalable solution for most Internet services is to have a database server running on one physical machine, while the services using this database service are (often virtualized) running on another machine,” the students noted.

“In this case, the easiest solution is to comment out the flag bind ip = or to remove it completely, which defaults to accepting all network connections to the database. If access is possible from untrusted machines (e.g., from the Internet) outside the trusted network, it is crucial to also set up transfer encryption and proper access control.”

Read more: Smart grid security: Critical success factors

Kelly Stirman, Director of Products at MongoDB told CSO Australia that 40,000 unsecured databases “sounds like a big number” but that was still a fraction of the total number of MongoDB instances deployed.

MongoDB hasn’t tested the researchers claims so couldn’t confirm or deny the accuracy of the report, however the researchers note in their report that some may have been intentionally configured without access controls, for example, in the case they’re being used has honey pots. On the other hand, the researchers speculate the number could be higher due to operators blocking their port scan.

Stirman added that most widely used installer for MongoDB are from .rpm packages, which by default is configured to limit access to a local host — which would mitigate the issue raised by the researchers.

However, users can also compile the database from source and some developers may have omitted security from their own development cycle.

“We make extensive documentation about security, such as configuring MongoDB for secure access and protecting access at different levels,” Stirman added.

Read more: Access build-up a new concern for CIOs: security pro

MongoDB today also published a security best practices document for users that were concerned by the student’s findings. This details a pre-deployment security check list, the MongoDB Management Service, as well as advice on design, configuration and common security mistakes.  

The researchers also claimed to have found around 500,000 German user records exposed, as well as a database owned by an unnamed German online retailer, which included payment information, however the number of affected users was not divulged.

The students said they notified the German Office for Information Security, international computer emergency response teams (CERTs), and MongoDB.

To prevent unauthorised access, the students also recommend setting up traffic or transport encryption, such as SSL, or MongoDB supported access controls, such as MongoDB challenge and response (MongoDB-CR), X.509 Certificate Authentication, Kerberos Authentication or LDAP Proxy Authentication.

MongoDB incidentally is hosting a webinar this week to educate its users how to securely configure their databases using available features such as LDAP, SSL, x.509 and Authentication.

“We do also hope that the developer of MongoDB will quickly include our results, incorporate them into its guidelines and forward them to the companies using the database”, said Backes.

Join the CSO newsletter!

Error: Please check your email address.

Tags NoSQL databaseMongoDBCentre for IT-SecurityPrivacy and Accountability (CISPA)access control

More about CSOExpediaFacebookGoldmanJens

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts