Three German students have discovered that tens of thousands of MongoDB databases running as a service or website backend were exposed on the Internet.
MongoDB is a cross-platform document-oriented database which uses JSON-like documents with dynamic schemas (BSON) improving the integration of data between different applications. MongoDB is very popular for scalability, performance and high availability, it represents a valid solution also for very complex architectures, in order to achieve high performance MongoDB leverage in-memory computing.
Today MongoDB is used by many organizations, the bad news is that nearly 40,000 entities running MongoDB are exposed and vulnerable to risks of hacking attacks.
Three students from University of Saarland in Germany, Kai Greshake, Eric Petryka and Jens Heyens, discovered that MongoDB databases running at TCP port 27017 as a service of several thousand of commercial web servers are exposed on the Internet without proper defense measures.
The German Team of experts reported that they were able to to get “read and write access” to the unsecured and vulnerable MongoDB databases without using any special hacking tools.
“Without any special tools and without circumventing any security measures, we would have been able to get read and write access to thousands of databases, including, e.g., sensitive customer data or live backends of Web shops. The reason for this problem is twofold: • The defaults of MongoDB are tailored for running it on the same physical machine or virtual machine instances. • The documentations and guidelines for setting up MongoDB servers with Internet access may not be sufficiently explicit when it comes to the necessity to activate access control, authentication, and transfer encryption mechanisms” states the report published by the researchers.
The results of the study are disconcerting, 39,890 MongoDB databases openly available on the Internet. The list of vulnerable and accessible database includes one belonging to an unnamed French telecommunications company that contains 8 Million customer’s phone numbers and addresses.
“Since we now are able to connect to the MongoDBs found by calling the mongo shell with the IP address found.”
mongo $IP 4
“In order to verify the impact and risk related to the found MongoDB instances, we exemplarily double-checked that these databases are not intentionally configured without access control and further security mechanisms. Briefly looking at a large database1 , we found a customer database of a French telecommunications provider with about 8 million customer entries” wrote the researchers. “Our initial port scan revealed 39,890 instances. However, this number might be inaccurate, since on the one hand many larger providers blocked the scan such that there might be more publicly accessable MongoDBs online, and on the other hand some of these databases might be intentionally configured without security measures, e.g. as honeypots”
The experts highlighted that it is quite easy to exploit the security flaw, by running a massive scan for TCP port 27017 on the web is is possible to localize all vulnerable servers in a few hours.
The attackers could also use the popular Shodan Search Engine to identify accessible MongoDB databases easily.
Using a free standard account we identified a first set of vulnerable MongoDB addresses by pasting the following HTML code. curl $SHODANURL |grep -i class=\"ip\" |cut -d ’/’ -f 3 \ |cut -d ’"’ -f 1|uniq >db.ip
The German researchers already reported their findings to MongoDB as well as the French Data Protection Authority (CNIL) and the Federal Office for Information Security. The researchers also reported the issue to the affected organizations.
MongoDB urges its users to use the latest version of the Database.
” Those who are affected by the issue should use latest installer for MongoDB which limits network access to localhost by default and also refer MongoDB Security Manual.”
(Security Affairs – MongoDB, Hacking)
Share On
