Major security alert as 40,000 MongoDB databases left unsecured on the internet

World-wide distribution of openly accessible MongoDBs (Photo: CISPA - Jens Heyens, Kai Greshake, Eric Petryk)

MongoDB, the open-source NoSQL company, faces a huge security alert after almost 40,000 of its customer databases were found unsecured on the internet, a document obtained by Information Age reveals.

One database alone – from an unnamed French telecommunications company – includes around 8 million customer phone numbers and addresses.

Three students from Saarland University in Germany – Jens Heyens, Kai Greshake and Eric Petryka – discovered that MongoDB databases running as a service or website backend on several thousand commercial servers were openly available on the internet.

>See also: MongoDB urges users to apply restrictive measures after 40,000 databases were found unsecured

"Without any special tools and without circumventing any security measures, we would have been able to get read-and-write access to thousands of databases, including sensitive customer data [and] live backends of web shops," the students wrote.

It is thought that the documentations and guidelines for setting up MongoDB servers with internet access – for example, in the AWS Cloud – did not explicitly specify the need to activate access control and authentication, and transfer encryption mechanisms.

Organisations that set up MongoDB web servers following these guidelines are likely to have overseen the importance of activating security mechanisms and left the databases open for access on the internet.

MongoDB runs by default on TCP port 27017, so an attacker would simply need to run a port scan on the internet to find openly accessible databases, according to the students, who said it was ‘incredibly easy’ and could be achieved within four hours.

They added that hackers could also identify accessible MongoDBs through computer search engine Shodan, which has a database containing IP addresses with a list of services running and an easy-to-use filter mask. Using a free standard account, the students were able to identify a first set of vulnerable MongoDB addresses.

After verifying the impact and risk related to the unsecured MongoDB databases, the students counted 39,890 instances – but this number could be more as some large providers blocked the scan.

People are likely to be particularly outraged by the lack of acknowledgement by the French telecoms company regarding the safety of their customer data.

"The fault is not complicated, but its effect is catastrophic," said Michael Backes, professor of information security and cryptography at Saarland University and director of CISPA, who was contacted by the students at the end of last month.

The students informed the French Data Protection Authority (CNIL), the Federal Office for Information Security and MongoDB so that the affected database owners could be notified.

>Register for the UK's premier conference examining the modern data centre

In recent years NoSQL systems like MongoDB have challenged the relational database, which has long been considered the ubiquitous platform for enterprise data, as they are able to handle far greater quantities. Distributed file system Hadoop and parallel processing framework MapReduce have made massive inroads as organisations recognise the scope for processing large data sets.

As the leading open-source document database, MongoDB is at the centre of this trend with several major websites and services integrating it for their backend. However, this security alert is likely to be a setback for the company, which last month was valued at $1.6 billion after a new round of funding from investors.

It is understood that MongoDB has made efforts to eliminated the problem but many of the databases remain unsecured.

"MongoDB takes security very seriously," said Eliot Horowitz‎, CTO and co-founder at MongoDB. "Recently a team of German researchers discovered unsecured instances of MongoDB running openly on the internet.

"Readers who are concerned about access to their systems are reminded of the following resources: the most popular installer for MongoDB (RPM) limits network access to local host by default; security is addressed in detail in our security manual; the method to do this will vary significantly depending on where the service is hosted; and users of MongoDB Management Service (MMS) can enable alerts to detect if their deployment is internet exposed.

"We encourage users who have experienced a security incident for MongoDB to create a vulnerability report."

This article is tagged with: