Pierluigi Paganini February 13, 2015

Three German students have discovered that tens of thousands of MongoDB databases running as a service or website backend were exposed on the Internet.

“Without any special tools and without circumventing any security measures, we would have been able to get read and write access to thousands of databases, including, e.g., sensitive customer data or live backends of Web shops. The reason for this problem is twofold: • The defaults of MongoDB are tailored for running it on the same physical machine or virtual machine instances. • The documentations and guidelines for setting up MongoDB servers with Internet access may not be sufficiently explicit when it comes to the necessity to activate access control, authentication, and transfer encryption mechanisms” states the report published by the researchers.

“Since we now are able to connect to the MongoDBs found by calling the mongo shell with the IP address found.”

mongo $IP 4

“In order to verify the impact and risk related to the found MongoDB instances, we exemplarily double-checked that these databases are not intentionally configured without access control and further security mechanisms. Briefly looking at a large database1 , we found a customer database of a French telecommunications provider with about 8 million customer entries” wrote the researchers. “Our initial port scan revealed 39,890 instances. However, this number might be inaccurate, since on the one hand many larger providers blocked the scan such that there might be more publicly accessable MongoDBs online, and on the other hand some of these databases might be intentionally configured without security measures, e.g. as honeypots”

Using a free standard account we identified a first set of vulnerable MongoDB addresses by pasting the following HTML code. curl $SHODANURL |grep -i class=\"ip\" |cut -d ’/’ -f 3 \ |cut -d ’"’ -f 1|uniq >db.ip