MongoDB is a cross-platform document-oriented database which uses JSON-like documents with dynamic schemas (BSON) improving the integration of data between different applications. MongoDB is very popular for scalability, performance and high availability, it represents a valid solution also for very complex architectures, in order to achieve high performance MongoDB leverage in-memory computing.
Today MongoDB is used by many organizations, the bad news is that nearly 40,000 entities running MongoDB are exposed and vulnerable to risks of hacking attacks.
“Without any special tools and without circumventing any security measures, we would have been able to get read and write access to thousands of databases, including, e.g., sensitive customer data or live backends of Web shops. The reason for this problem is twofold: • The defaults of MongoDB are tailored for running it on the same physical machine or virtual machine instances. • The documentations and guidelines for setting up MongoDB servers with Internet access may not be sufficiently explicit when it comes to the necessity to activate access control, authentication, and transfer encryption mechanisms” states the report published by the researchers.
“Since we now are able to connect to the MongoDBs found by calling the mongo shell with the IP address found.”
mongo $IP 4
“In order to verify the impact and risk related to the found MongoDB instances, we exemplarily double-checked that these databases are not intentionally configured without access control and further security mechanisms. Briefly looking at a large database1 , we found a customer database of a French telecommunications provider with about 8 million customer entries” wrote the researchers. “Our initial port scan revealed 39,890 instances. However, this number might be inaccurate, since on the one hand many larger providers blocked the scan such that there might be more publicly accessable MongoDBs online, and on the other hand some of these databases might be intentionally configured without security measures, e.g. as honeypots”
Using a free standard account we identified a first set of vulnerable MongoDB addresses by pasting the following HTML code. curl $SHODANURL |grep -i class=\"ip\" |cut -d ’/’ -f 3 \ |cut -d ’"’ -f 1|uniq >db.ip
” Those who are affected by the issue should use latest installer for MongoDB which limits network access to localhost by default and also refer MongoDB Security Manual.”
(Security Affairs – MongoDB, Hacking)