Tuesday, February 10, 2015 - 14:53

MongoDBGate. When idiots are tasked way over their heads

Computer science students of the university of Saarland discovered nearly 40.000 unprotected MongoDB installation accessible from public networks.

Being cynical as I am I'm opting in for to no surprise... as MongoDB by default is not secured. What's amazing is not that you can find unprotected installations on the net but that you can find them with large scale providers like listed mobile phone operators.

There's a huge difference if Joe Wanna-be Admin installs MongoDB to power his cooking homepage on a server with no firewalling at all and a rather large mobile phone operator exposing customers, their phone numbers and credit card information to everyone on the planet.

The first one is to be expected. The second is absolutely unacceptable. Who the fuck is operating those servers? Why the hell are those ports open in the first place? It only makes sense if they were supposed to be open. If that's the case. No one noticed that you don't need any kind of authentication? Not a single soul?

If the ports were closed there wouldn't have been a public exposure problem in the first place. There still might have been internal consequences but those are usually of a different scope.

Since this is the default setup of MongoDB which is mentioned early in the documentation it seems whoever operates those servers - at a mobile phone provider!!! - had no idea about the service in the first place and it's rather unlikely that he even read the documentation or he would have stumbled over this issue. In fact you don't really need to be an expert here.

A semi-qualified admin that has an average clue about whatever should have wondered about the fact that he is not bothered with any kind of authentication whatsoever. And that leads to a rather simple and obvious conclusion...there is no authentication. And if there is no authentication it's probably not a good idea to expose this service to the public.

I'd bet that most qualified admins that have no understanding of MongoDB whatsoever would ask exactly that question after installing the service.

How the fuck is that thing secured?

You can enable authentication in MongoDB or you can - if the service is otherwise secured - just firewall access. But it's quite obvious that you have to do at least one of it.

Now people start to argue that it is a failure by the development team of MongoDB...because it's not secured by default(tm).

Well....No! It of course could have been secured by default and that likely would have prevented this particular issue. But we are not talking about a browser here or any other application that users are exposed to. We are talking about a database server; a highly specialized database server. Users are not exposed to this kind of software. Server and/or database administrators are.

And I can expect that someone who is administrating a MongoDB server actually has a minimal understanding of MongoDB. What the fuck do they do if that server ever goes south? Read a tutorial 101 on how to fix that issue?

Did you turn it off and on again?

If the guy who repairs my car needs to read a tutorial on how to change the tires I would be skeptical. Obviously that's perfectly fine if you are administrating a database server at a mobile phone operator in France. Or a firewall if that was the origin of the problem.

Not every one on any given team needs to be good at what he's doing. But you need someone in charge with oversight who does. And quite obviously that was not the case here at that mentioned phone operator. It's not just the issue. It's that no one noticed it. I don't even want to know how that rat-shop is operated. But I really would love to know who those idiots are. I'd like to avoid them.