Tuesday, February 10, 2015 - 14:53

MongoDBGate. When idiots are tasked way over their heads

Computer science students of the university of Saarland discovered nearly 40.000 unprotected MongoDB installation accessible from public networks.

Being cynical as I am I'm opting in for to no surprise... as MongoDB by default is not secured. What's amazing is not that you can find unprotected installations on the net but that you can find them with large scale providers like listed mobile phone operators.

There's a huge difference if Joe Wanna-be Admin installs MongoDB to power his cooking homepage on a server with no firewalling at all and a rather large mobile phone operator exposing customers, their phone numbers and credit card information to everyone on the planet.

The first one is to be expected. The second is absolutely unacceptable. Who the fuck is operating those servers? Why the hell are those ports open in the first place? It only makes sense if they were supposed to be open. If that's the case. No one noticed that you don't need any kind of authentication? Not a single soul?

If the ports were closed there wouldn't have been a public exposure problem in the first place. There still might have been internal consequences but those are usually of a different scope.

Since this is the default setup of MongoDB which is mentioned early in the documentation it seems whoever operates those servers - at a mobile phone provider!!! - had no idea about the service in the first place and it's rather unlikely that he even read the documentation or he would have stumbled over this issue. In fact you don't really need to be an expert here.

A semi-qualified admin that has an average clue about whatever should have wondered about the fact that he is not bothered with any kind of authentication whatsoever. And that leads to a rather simple and obvious conclusion...there is no authentication. And if there is no authentication it's probably not a good idea to expose this service to the public.

I'd bet that most qualified admins that have no understanding of MongoDB whatsoever would ask exactly that question after installing the service.

How the fuck is that thing secured?

You can enable authentication in MongoDB or you can - if the service is otherwise secured - just firewall access. But it's quite obvious that you have to do at least one of it.

Now people start to argue that it is a failure by the development team of MongoDB...because it's not secured by default(tm).

Well....No! It of course could have been secured by default and that likely would have prevented this particular issue. But we are not talking about a browser here or any other application that users are exposed to. We are talking about a database server; a highly specialized database server. Users are not exposed to this kind of software. Server and/or database administrators are.

And I can expect that someone who is administrating a MongoDB server actually has a minimal understanding of MongoDB. What the fuck do they do if that server ever goes south? Read a tutorial 101 on how to fix that issue?

Did you turn it off and on again?

If the guy who repairs my car needs to read a tutorial on how to change the tires I would be skeptical. Obviously that's perfectly fine if you are administrating a database server at a mobile phone operator in France. Or a firewall if that was the origin of the problem.

Not every one on any given team needs to be good at what he's doing. But you need someone in charge with oversight who does. And quite obviously that was not the case here at that mentioned phone operator. It's not just the issue. It's that no one noticed it. I don't even want to know how that rat-shop is operated. But I really would love to know who those idiots are. I'd like to avoid them.

Comments

Kai Greshake's picture
Kai Greshake

I am one of those particular students- I got to say, your article was the best one yet! :D

Jens Heyens's picture
Jens Heyens

Kind of what we were thinking.
It is definitely not MongoDB's fault - It is a great software we are currently using ourselves.

I suppose, we might need an introduction to general IT security on every software documentation page to avoid stupidity.

admin's picture
admin
in reply to Jens Heyens

That would require that a documentation is actually read. Which is quite often NOT the case.

It would be more productive if hosters would eliminate the 'cooking book' amateur guys by periodically checking rented servers. A lot of root servers operated by amateurs - for whatever reason - have no firewalling whatsoever. You have dozens of services exposed and nearly all of them by 'accident'. And half of the services were updated the last time when they were installed resulting in an exposed server with more or less critical security issues just waiting for a hostile takeover.

For the other guys...Public exposure helps. The only way enterprises like that learn is by losing customers. If the problem costs more money than the guys who WOULD NOT have caused it HR is going to have to explain a couple of things. Security is a hidden benefit. If you don't run into it head first there's usually always some smartass who believes there's a cheaper solution that works just as well.

Ask Microsoft about restructuring TCG. Seemed to work not quite 'just as well'.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.