Back in February, some students from the Centre for IT-Security, Privacy and Accountability (CISPA) at Saarland University, Germany made headlines when they reported that they had found approximately 40,000 MongoDB Databases exposed on Port 27017, a port that is open by default in a MongoDB Database installation. Anyone who searches Shodan would be able to easily locate such leaking databases.
So what happened after they reported their findings? There was some media coverage, but did the FTC post any guidance or warning to entities? Did CERT? Did the FBI? If they did, I can’t find it, and it appears that many businesses and entities using MongoDB are still exposing their entire databases on Port 27017. As of this weekend, there were 36,000 results for a search for open databases on that port. While many of them appear to be duplicates, it is still a concerning number.
In recent days, DataBreaches.net has reported on some of these leaking databases: the Vixlet leak affecting more than 377,000 MLB, ATP and Slipknot fans, the OkHello leak affecting more than 2.6 million users of the video chat service, the California Virtual Academies leak affecting more than 74,000 students and employees, the iFit leak affecting 576,274 customers, and the Hzone leak affecting 5,027 users of a dating app for HIV-positive singles, but Chris Vickery has also uncovered many other similarly leaking databases. One of them is from the gaming site Slingo, where Chris found 2.5 million users’ first and last names, usernames, email addresses, password hashes, Facebook IDs, postal addresses, and gender. Chris notified them and they secured their database. He has also notified other businesses, such as Kromtech, after he found 13 million MacKeeper users’ information leaking (I think Brian Krebs may be reporting on that one).
So far, none of the above sites seems to have posted any notification on their sites that disclose that their users’ information had been exposed – or for how long it had been exposed. And I can still access OkHello’s backup database that contains videos of children.
Is it time for government or relevant organizations to issue a highly publicized warning about this situation? CERT considered it a high-risk vulnerability when it issued a release in June 2015 about IBM’s noSQL database. Why no warning on MongoDB Database?
As everyone knows, I am not a security professional. But it seems to me the FBI, FTC, and CERT can and should do something to increase awareness and to get entities to secure their leaking databases.
Update1: John Matherly, the founder of Shodan responded to the MacKeeper news on Shodan’s blog. He reported almost identical numbers to what I said above:
At the moment, there are at least 35,000 publicly available, unauthenticated instances of MongoDB running on the Internet. This is an increase of >5,000 instances since the last article. They’re hosted mostly on Amazon, Digital Ocean and Aliyun (cloud computing by Alibaba)
[…]
By default, newer versions of MongoDB only listen on localhost. The fact that MongoDB 3.0 is well-represented means that a lot of people are changing the default configuration of MongoDB to something less secure and aren’t enabling any firewall to protect their database. In the previous article, it looked like the misconfiguration problem might solve itself due to the new defaults that MongoDB started shipping with; that doesn’t appear to be the case based on the new information. It could be that users are upgrading their instances but using their existing, insecure configuration files.
Significantly, he notes:
Finally, I can’t stress enough that this problem is not unique to MongoDB: Redis, CouchDB, Cassandra and Riak are equally impacted by these sorts of misconfigurations.
Okay, so expand the alert/guidance to include them. Whether it’s by intention or by accident, millions of people have their personal information at risk.