Students claim to have found nearly 40,000 instances of the popular NoSQL database MongoDB running open on the internet, including one they suspect belongs to an unnamed French telco containing 8 million customer records.
MongoDB is the maker a hugely popular NoSQL database for web applications and services, which only last month landed an $80m in funding and counts Facebook, Salesforce, Expedia, Adobe, Goldman Sachs among the 34 of the Fortune 100 customers it has. But it also appears to have thousands of customers who aren’t securing their databases properly, leaving them open for anyone on the internet to tamper with.
The unsecured databases were uncovered by three students at the Centre for IT-Security, Privacy and Accountability (CISPA) at Saarland University, Germany.
The three students Kai Greshake, Eric Petryka and Jens Heyens said they were able to get “read and write access” to the unsecured databases “without any special tools” and have released a report detailing how MongoDB admins should tighten up security.
They also detailed how an attacker could find vulnerable MongoDB instances by either running a port scan for TCP port 27017, the default for MongoDB. Meanwhile, “not so tech-savvy attackers” could identify unsecured MongoDB instances by using the search engine Shodan, with the help of a snippet of HTML code they’d developed to search for exposed databases.
One of the databases they found is suspected to belong to a French ISP and mobile operator, which contained the addresses and telephone numbers of eight million customers, according to the students.
A CISPA spokesperson declined to name the provider when contacted by CSO Australia.
The students said they have reported the issue to French data protection authority, Commission nationale de l'informatique et des libertés (CNIL).
They first reported their finding at the end of January to Michael Backes, a professor of information security and cryptography at Saarland University and director of CISPA.
“It is not a complex bug, but its effect is disastrous”, said Backes. “A database unprotected like this is similar to a public library with a wide open entrance door and without any librarian. Everybody can enter.”
To be clear though, the researchers haven’t found a flaw in MongoDB, so the maintainers of the database won’t be issuing a patch. However, the researchers do claim to have found a common error in the way admins may be configuring their databases.
The main problem the students identified lies in default configurations that in some circumstances may require the admin to set up access controls.
“A common setup and scalable solution for most Internet services is to have a database server running on one physical machine, while the services using this database service are (often virtualized) running on another machine,” the students noted.
“In this case, the easiest solution is to comment out the flag bind ip = 127.0.0.1 or to remove it completely, which defaults to accepting all network connections to the database. If access is possible from untrusted machines (e.g., from the Internet) outside the trusted network, it is crucial to also set up transfer encryption and proper access control.”
Kelly Stirman, Director of Products at MongoDB told CSO Australia that 40,000 unsecured databases “sounds like a big number” but that was still a fraction of the total number of MongoDB instances deployed.
MongoDB hasn’t tested the researchers claims so couldn’t confirm or deny the accuracy of the report, however the researchers note in their report that some may have been intentionally configured without access controls, for example, in the case they’re being used has honey pots. On the other hand, the researchers speculate the number could be higher due to operators blocking their port scan.
Stirman added that most widely used installer for MongoDB are from .rpm packages, which by default is configured to limit access to a local host — which would mitigate the issue raised by the researchers.
However, users can also compile the database from source and some developers may have omitted security from their own development cycle.
“We make extensive documentation about security, such as configuring MongoDB for secure access and protecting access at different levels,” Stirman added.
MongoDB today also published a security best practices document for users that were concerned by the student’s findings. This details a pre-deployment security check list, the MongoDB Management Service, as well as advice on design, configuration and common security mistakes.
The researchers also claimed to have found around 500,000 German user records exposed, as well as a database owned by an unnamed German online retailer, which included payment information, however the number of affected users was not divulged.
The students said they notified the German Office for Information Security, international computer emergency response teams (CERTs), and MongoDB.
To prevent unauthorised access, the students also recommend setting up traffic or transport encryption, such as SSL, or MongoDB supported access controls, such as MongoDB challenge and response (MongoDB-CR), X.509 Certificate Authentication, Kerberos Authentication or LDAP Proxy Authentication.
MongoDB incidentally is hosting a webinar this week to educate its users how to securely configure their databases using available features such as LDAP, SSL, x.509 and Authentication.
“We do also hope that the developer of MongoDB will quickly include our results, incorporate them into its guidelines and forward them to the companies using the database”, said Backes.